CVE-2021-41301
📋 TL;DR
The ECOA BAS controller has an insecure direct object reference vulnerability that allows unauthenticated attackers to access configuration files via HTTP GET requests. This exposes sensitive information that can lead to authentication bypass, privilege escalation, and full system compromise. Organizations using vulnerable ECOA BAS controllers are affected.
💻 Affected Systems
- ECOA BAS controller
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to gain administrative access, modify building automation systems, disable security controls, and potentially cause physical damage to building systems.
Likely Case
Authentication bypass leading to unauthorized access to building automation systems, privilege escalation to administrative functions, and exposure of sensitive configuration data.
If Mitigated
Limited information disclosure if proper network segmentation and access controls are implemented, preventing full system compromise.
🎯 Exploit Status
Simple HTTP GET requests to specific file paths can disclose sensitive configuration information without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html
Restart Required: Yes
Instructions:
1. Contact ECOA for specific patch information 2. Apply vendor-provided firmware update 3. Restart controller 4. Verify patch application
🔧 Temporary Workarounds
Network Segmentation
allIsolate BAS controllers from untrusted networks and implement strict firewall rules
Access Control Lists
allImplement IP-based restrictions to limit HTTP access to trusted management stations only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BAS controllers from all untrusted networks
- Deploy web application firewall (WAF) rules to block direct object reference patterns
🔍 How to Verify
Check if Vulnerable:
Attempt HTTP GET requests to known configuration file paths on the controller (e.g., /config/*, /settings/*) and check for sensitive information disclosureCheck Version:
Check controller web interface or contact vendor for version informationVerify Fix Applied:
Test the same HTTP GET requests after patching to confirm they no longer return sensitive configuration data📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP GET requests to configuration file paths
- Unauthenticated access attempts to sensitive URLs
- Unusual file access patterns from external IPs
Network Indicators:
- HTTP traffic to controller on unusual ports
- GET requests to /config/*, /settings/* paths
- Traffic from unexpected sources to BAS controller
SIEM Query:
source_ip=* AND dest_ip=BAS_CONTROLLER_IP AND http_method=GET AND (url_path CONTAINS '/config/' OR url_path CONTAINS '/settings/')