CVE-2021-41569 – CVE-2021-41569 is a local file inclusion vulner... (How to Fix)

Q: What is the severity of CVE-2021-41569?

CVE-2021-41569 has a CVSS score of 7.5 (HIGH). CVE-2021-41569 is a local file inclusion vulnerability in SAS/Intrnet 9.4 that allows authenticated users to escape macro variable constraints and execute functions to read arbitrary files from the host operating system. This affects organizations using SAS/Intrnet 9.4 build 1520 and earlier with the default samples library configuration.

📋 TL;DR

CVE-2021-41569 is a local file inclusion vulnerability in SAS/Intrnet 9.4 that allows authenticated users to escape macro variable constraints and execute functions to read arbitrary files from the host operating system. This affects organizations using SAS/Intrnet 9.4 build 1520 and earlier with the default samples library configuration.

💻 Affected Systems

Products:

SAS/Intrnet

Versions: 9.4 build 1520 and earlier

Operating Systems: All platforms running SAS/Intrnet

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the default samples library to be present and accessible. The vulnerability is in the sample.webcsf1.sas program within the samples library.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files, configuration files, or data files, potentially leading to data exfiltration, credential theft, or further system compromise.

🟠

Likely Case

Authenticated users could read files they shouldn't have access to, potentially exposing sensitive application data or configuration information.

🟢

If Mitigated

With proper access controls and file system permissions, impact is limited to files accessible by the SAS application service account.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to SAS/Intrnet. The vulnerability is well-documented with technical details available in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SAS/Intrnet 9.4 build 1521 and later

Vendor Advisory: https://support.sas.com/kb/68/641.html

Restart Required: Yes

Instructions:

1. Apply SAS/Intrnet 9.4 build 1521 or later. 2. Remove or restrict access to the samples library. 3. Restart SAS/Intrnet services.

🔧 Temporary Workarounds

Remove Samples Library

all

Delete or move the samples library directory to prevent access to vulnerable sample.webcsf1.sas program

rm -rf /path/to/sas/samples/library
mv /path/to/sas/samples/library /secure/location/

Restrict File System Access

linux

Apply strict file system permissions to limit what files the SAS service account can read

chmod 750 /sensitive/directories
chown root:sasgroup /sensitive/directories

🧯 If You Can't Patch

Remove or disable the samples library completely from all SAS/Intrnet installations
Implement network segmentation to isolate SAS/Intrnet servers and restrict access to sensitive file systems

🔍 How to Verify

Check if Vulnerable:

Check SAS/Intrnet version: if build number is 1520 or lower, check if samples library exists and contains sample.webcsf1.sas

Check Version:

Check SAS installation logs or configuration files for build number, or use SAS management console

Verify Fix Applied:

Verify SAS/Intrnet build number is 1521 or higher, and confirm samples library is removed or inaccessible

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from SAS/Intrnet processes
Access to sample.webcsf1.sas program in web logs
Errors related to macro variable escaping in SAS logs

Network Indicators:

HTTP requests to SAS/Intrnet with unusual parameter values attempting file path traversal

SIEM Query:

source="sas_logs" AND ("sample.webcsf1" OR "DS2CSF macro" OR file_access_patterns)

📊 Metadata

CVE ID: CVE-2021-41569

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-829

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://support.sas.com/kb/68/641.html Vendor Advisory
https://www.mindpointgroup.com/blog/high-risk-vulnerability-discovery-localfileinclusion-sas Exploit,Third Party Advisory
https://support.sas.com/kb/68/641.html Vendor Advisory
https://www.mindpointgroup.com/blog/high-risk-vulnerability-discovery-localfileinclusion-sas Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41569, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Sas\/intrnet by Sas

Sas\/intrnet by Sas

Sas\/intrnet by Sas

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove Samples Library

Restrict File System Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities