CVE-2021-42954 – This vulnerability allows non-admin users on Wi... (How to Fix)

Q: What is the severity of CVE-2021-42954?

CVE-2021-42954 has a CVSS score of 7.8 (HIGH). This vulnerability allows non-admin users on Windows systems to modify files in Zoho Remote Access Plus installation directory due to overly permissive file permissions. Attackers can escalate privileges, reset passwords, access sensitive data including plaintext credentials, and tamper with configuration files. Affects organizations using Zoho Remote Access Plus Server Windows Desktop Binary.

📋 TL;DR

This vulnerability allows non-admin users on Windows systems to modify files in Zoho Remote Access Plus installation directory due to overly permissive file permissions. Attackers can escalate privileges, reset passwords, access sensitive data including plaintext credentials, and tamper with configuration files. Affects organizations using Zoho Remote Access Plus Server Windows Desktop Binary.

💻 Affected Systems

Products:

Zoho Remote Access Plus Server Windows Desktop Binary

Versions: Versions before 10.1.2121.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations where the Everyone group has full control permissions on the installation directory.

📦 What is this software?

Manageengine Remote Access Plus by Zohocorp

View all CVEs affecting Manageengine Remote Access Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation, credential theft, and persistent backdoor installation via configuration tampering.

🟠

Likely Case

Unauthorized access to sensitive data including passwords, configuration files, and registry values leading to lateral movement within the network.

🟢

If Mitigated

Limited impact with proper file permissions and access controls preventing unauthorized file modifications.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires local access, internet-facing systems could be targeted after initial foothold.

🏢 Internal Only: HIGH - Internal users with standard privileges can exploit this to gain administrative access and compromise the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but uses simple file permission manipulation techniques that are well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.2121.1 and later

Vendor Advisory: https://help.zoho.com/portal/en/kb/remote-access-plus/articles/security-advisory-for-cve-2021-42954

Restart Required: Yes

Instructions:

1. Download and install Zoho Remote Access Plus version 10.1.2121.1 or later from official Zoho website. 2. Run the installer with administrative privileges. 3. Restart the Remote Access Plus service after installation completes.

🔧 Temporary Workarounds

Restrict Installation Directory Permissions

windows

Manually adjust file permissions to remove Everyone group access and restrict to authorized users only.

icacls "C:\Program Files\Zoho\RemoteAccessPlus" /remove:g "Everyone"
icacls "C:\Program Files\Zoho\RemoteAccessPlus" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"

🧯 If You Can't Patch

Implement strict access controls and monitor for unauthorized file modifications in the installation directory
Isolate affected systems from critical network segments and implement application whitelisting

🔍 How to Verify

Check if Vulnerable:

Check file permissions on Zoho Remote Access Plus installation directory using: icacls "C:\Program Files\Zoho\RemoteAccessPlus"

Check Version:

Check version in Control Panel > Programs and Features or examine the application's about dialog

Verify Fix Applied:

Verify Everyone group does not have Full Control permissions and version is 10.1.2121.1 or later

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4663 (File system access) showing unauthorized users accessing Zoho installation directory
Application logs showing unexpected configuration changes or service restarts

Network Indicators:

Unusual authentication attempts from previously unused accounts
Unexpected outbound connections from the Remote Access Plus server

SIEM Query:

EventID=4663 AND ObjectName LIKE "%Zoho%RemoteAccessPlus%" AND Accesses="WriteData" AND SubjectUserName NOT IN ("SYSTEM", "Administrator")

📊 Metadata

CVE ID: CVE-2021-42954

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: November 17, 2021

Last Updated: November 21, 2024

🔗 References

https://medium.com/nestedif/vulnerability-disclosure-improper-filesystem-permission-misconfigured-acls-zoho-r-a-p-56e195464b51 Exploit,Third Party Advisory
https://medium.com/nestedif/vulnerability-disclosure-improper-filesystem-permission-misconfigured-acls-zoho-r-a-p-56e195464b51 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42954, you might also want to check these: