CVE-2021-40091
📋 TL;DR
CVE-2021-40091 is a Server-Side Request Forgery (SSRF) vulnerability in SquaredUp for SCOM that allows attackers to make unauthorized requests from the vulnerable server to internal or external systems. This affects organizations running SquaredUp for SCOM version 5.2.1.6654. Attackers could potentially access internal services, perform port scanning, or interact with cloud metadata services.
💻 Affected Systems
- SquaredUp for SCOM
📦 What is this software?
Squaredup by Squaredup
Squaredup by Squaredup
Squaredup by Squaredup
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, cloud metadata APIs, or perform lateral movement to compromise other systems in the network.
Likely Case
Information disclosure from internal services, port scanning of internal networks, or interaction with cloud metadata endpoints.
If Mitigated
Limited impact if network segmentation restricts outbound connections and internal services require authentication.
🎯 Exploit Status
SSRF vulnerabilities typically have low exploitation complexity, especially when unauthenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.0 or later
Vendor Advisory: https://support.squaredup.com/hc/en-us/articles/4410656394129-CVE-2021-40091-SSRF-issue
Restart Required: Yes
Instructions:
1. Download SquaredUp for SCOM version 5.3.0 or later from the vendor portal. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the SquaredUp service.
🔧 Temporary Workarounds
Network Segmentation
allRestrict outbound network connections from the SquaredUp server to only necessary services.
Web Application Firewall Rules
allConfigure WAF rules to block SSRF patterns and restrict URL schemes in requests.
🧯 If You Can't Patch
- Implement strict network egress filtering to limit the SquaredUp server's outbound connections
- Deploy a reverse proxy with request validation to filter malicious SSRF attempts
🔍 How to Verify
Check if Vulnerable:
Check SquaredUp version in the web interface under Settings > About, or examine installed programs in Windows Control Panel.Check Version:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*SquaredUp*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Verify version is 5.3.0 or higher and test SSRF attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from SquaredUp server to internal IPs or cloud metadata endpoints
- Requests containing file://, gopher://, or other unusual URI schemes
Network Indicators:
- HTTP traffic from SquaredUp server to unexpected internal services or cloud metadata IPs (169.254.169.254 for AWS)
SIEM Query:
source="squaredup" AND (url="*file://*" OR url="*gopher://*" OR dst_ip="169.254.169.254")