CVE-2021-41294 – ECOA BAS controller has an unauthenticated path... (How to Fix)

Q: What is the severity of CVE-2021-41294?

CVE-2021-41294 has a CVSS score of 9.1 (CRITICAL). ECOA BAS controller has an unauthenticated path traversal vulnerability that allows remote attackers to delete arbitrary files via a specific GET parameter. This can lead to denial of service by deleting critical system files. All unpatched ECOA BAS controller installations are affected.

📋 TL;DR

ECOA BAS controller has an unauthenticated path traversal vulnerability that allows remote attackers to delete arbitrary files via a specific GET parameter. This can lead to denial of service by deleting critical system files. All unpatched ECOA BAS controller installations are affected.

💻 Affected Systems

Products:

ECOA BAS controller

Versions: Specific versions not detailed in references, but all unpatched versions appear vulnerable

Operating Systems: Embedded/Linux-based controller OS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration, no special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical operating system files, rendering the device permanently inoperable and disrupting building automation systems.

🟠

Likely Case

Denial of service by deleting configuration files or system binaries, causing the BAS controller to malfunction and requiring physical intervention to restore.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and proper authentication controls are in place.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers on the internet to directly compromise exposed devices.

🏢 Internal Only: HIGH - Even internally, unauthenticated access means any compromised internal system could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple path traversal via GET parameter makes exploitation trivial for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided references

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html

Restart Required: Yes

Instructions:

1. Contact ECOA for patched firmware version. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart device. 5. Verify fix by testing path traversal.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate BAS controllers from untrusted networks and internet access

Web Application Firewall

all

Deploy WAF with path traversal protection rules

🧯 If You Can't Patch

Implement strict network access controls to limit connections to BAS controllers
Monitor for suspicious file deletion events and unusual web requests to controller interfaces

🔍 How to Verify

Check if Vulnerable:

Test by attempting path traversal via web interface with crafted GET parameters targeting non-critical test files.

Check Version:

Check firmware version via web interface or console (vendor-specific command)

Verify Fix Applied:

Attempt same path traversal tests after patching; successful deletion should no longer occur.

📡 Detection & Monitoring

Log Indicators:

Web server logs showing GET requests with suspicious path traversal patterns
System logs showing unexpected file deletions

Network Indicators:

HTTP requests to controller with ../ patterns in parameters
Unusual file deletion operations over network

SIEM Query:

web.url:*../* AND (dst.port:80 OR dst.port:443) AND dst.ip:[CONTROLLER_IP]

📊 Metadata

CVE ID: CVE-2021-41294

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: September 30, 2021

Last Updated: November 21, 2024

🔗 References

https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41294, you might also want to check these: