CVE-2021-41291
📋 TL;DR
CVE-2021-41291 is a path traversal vulnerability in ECOA BAS controllers that allows unauthenticated attackers to remotely disclose directory contents via the File Manager's GET parameter. This affects building automation systems using vulnerable ECOA controllers, potentially exposing sensitive configuration files and system information.
💻 Affected Systems
- ECOA BAS controllers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map the entire filesystem, locate and exfiltrate sensitive configuration files, credentials, or proprietary data, potentially enabling further attacks or system compromise.
Likely Case
Unauthenticated attackers scanning for vulnerable systems could enumerate directory structures and access readable files, exposing system information and configuration details.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure within the segmented network zone.
🎯 Exploit Status
Simple path traversal via GET parameter manipulation; no authentication required
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html
Restart Required: Yes
Instructions:
1. Contact ECOA for specific patch information. 2. Apply vendor-provided firmware updates. 3. Restart affected controllers after patching.
🔧 Temporary Workarounds
Network segmentation and access control
allRestrict network access to BAS controllers to only authorized management systems
Disable File Manager remote access
allConfigure controllers to disable remote File Manager access if not required
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BAS controllers from untrusted networks
- Deploy web application firewalls (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Test if directory traversal is possible via File Manager GET parameter (e.g., attempt to access parent directories)Check Version:
Check controller firmware version via management interface or vendor toolsVerify Fix Applied:
Verify patch version and retest path traversal attempts; ensure they are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests with path traversal patterns (../, ..\) to File Manager endpoints
- Multiple failed directory traversal attempts
Network Indicators:
- HTTP requests containing path traversal sequences to BAS controller IPs
- Unusual traffic patterns to BAS controller File Manager endpoints
SIEM Query:
source_ip="*" AND http_uri CONTAINS "../" AND destination_ip IN [BAS_controller_ips]