CVE-2021-40612
📋 TL;DR
CVE-2021-40612 is an unauthenticated remote code execution vulnerability in Opmantek Open-AudIT. Attackers can execute arbitrary commands on affected systems without authentication. This affects Open-AudIT installations after version 3.5.0.
💻 Affected Systems
- Opmantek Open-AudIT
📦 What is this software?
Open Audit by Opmantek
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, install malware, steal data, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain shell access to the Open-AudIT server, potentially compromising the entire system and any connected network devices.
If Mitigated
Limited impact if network segmentation, proper authentication, and monitoring prevent exploitation attempts.
🎯 Exploit Status
The vulnerability is in a publicly accessible controller file (util.php) and requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit c7595cbb092e410a487f03c0eb536cf19e538860 and subsequent releases
Vendor Advisory: https://community.opmantek.com/pages/viewpage.action?pageId=65504438
Restart Required: No
Instructions:
1. Update Open-AudIT to the latest version. 2. Apply the specific patch from commit c7595cbb092e410a487f03c0eb536cf19e538860 if not updating fully. 3. Verify the util.php file no longer contains the vulnerable code.
🔧 Temporary Workarounds
Restrict access to util.php
allBlock or restrict access to the vulnerable util.php file via web server configuration or firewall rules.
# Apache: Add to .htaccess or virtual host config
<Files "util.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /util\.php$ {
deny all;
return 403;
}
Network segmentation
linuxIsolate Open-AudIT servers from the internet and restrict internal access to authorized networks only.
# Example firewall rule to restrict access
# iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Immediately restrict network access to Open-AudIT servers to only authorized IP addresses
- Implement web application firewall (WAF) rules to block requests to util.php and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if util.php exists at code_igniter/application/controllers/util.php and contains vulnerable code patterns. Test with a non-destructive payload if safe.Check Version:
# Check Open-AudIT version via web interface or configuration files
# Typically in /usr/local/open-audit/www/open-audit/index.php or similarVerify Fix Applied:
Verify util.php has been patched or removed. Check Open-AudIT version is updated beyond the vulnerable commit.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to util.php
- Command execution patterns in web logs
- Unexpected system processes spawned from web server user
Network Indicators:
- HTTP requests to /util.php with suspicious parameters
- Outbound connections from Open-AudIT server to unknown destinations
SIEM Query:
source="web_logs" AND uri="/util.php" AND (method="POST" OR params CONTAINS "system" OR params CONTAINS "exec")🔗 References
- https://community.opmantek.com/pages/viewpage.action?pageId=65504438
- https://github.com/Opmantek/open-audit/commit/c7595cbb092e410a487f03c0eb536cf19e538860
- https://community.opmantek.com/pages/viewpage.action?pageId=65504438
- https://github.com/Opmantek/open-audit/commit/c7595cbb092e410a487f03c0eb536cf19e538860
