CVE-2021-43339 – CVE-2021-43339 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-43339?

CVE-2021-43339 has a CVSS score of 8.8 (HIGH). CVE-2021-43339 is a command injection vulnerability in Ericsson Network Location software that allows authenticated attackers to execute arbitrary commands via the file_name parameter in export functionality. This could lead to remote code execution, including creating new admin users. Organizations using Ericsson Network Location before July 2021 are affected.

📋 TL;DR

CVE-2021-43339 is a command injection vulnerability in Ericsson Network Location software that allows authenticated attackers to execute arbitrary commands via the file_name parameter in export functionality. This could lead to remote code execution, including creating new admin users. Organizations using Ericsson Network Location before July 2021 are affected.

💻 Affected Systems

Products:

Ericsson Network Location

Versions: All versions before 2021-07-31

Operating Systems: Not OS-specific - affects the application itself

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the export functionality. The vulnerability is in the application's file handling mechanism.

📦 What is this software?

Network Location by Ericsson

View all CVEs affecting Network Location →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining administrative control, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized administrative access, data manipulation, and potential ransomware deployment within the affected system.

🟢

If Mitigated

Limited impact due to network segmentation and strict access controls, potentially only affecting the vulnerable application instance.

🌐 Internet-Facing: HIGH - If exposed to the internet, attackers can exploit this vulnerability remotely after authentication.

🏢 Internal Only: MEDIUM - Requires authenticated access, but insider threats or compromised credentials could lead to exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public exploit scripts exist. Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions from 2021-07-31 onward

Vendor Advisory: Not publicly documented in vendor advisory

Restart Required: Yes

Instructions:

1. Update Ericsson Network Location to version dated 2021-07-31 or later. 2. Restart the application services. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable export functionality

all

Temporarily disable the export feature that contains the vulnerable file_name parameter

Application-specific configuration changes required

Implement input validation

all

Add strict input validation for file_name parameter to reject special characters

Application code modification required

🧯 If You Can't Patch

Implement strict network segmentation to isolate Ericsson Network Location systems
Enforce multi-factor authentication and strong credential policies for all admin accounts

🔍 How to Verify

Check if Vulnerable:

Check Ericsson Network Location version date. If before 2021-07-31, the system is vulnerable.

Check Version:

Application-specific command or check version in admin interface

Verify Fix Applied:

Verify the application version shows 2021-07-31 or later date. Test export functionality with malicious input to confirm sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual export operations
Commands with special characters in file_name parameter
New admin user creation logs

Network Indicators:

Unexpected outbound connections from Ericsson Network Location system
Command and control traffic patterns

SIEM Query:

source="ericsson_network_location" AND (event="export" AND file_name CONTAINS "|" OR file_name CONTAINS ";" OR file_name CONTAINS "$")

📊 Metadata

CVE ID: CVE-2021-43339

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: November 3, 2021

Last Updated: November 21, 2024

🔗 References

https://pentest.com.tr/blog/RCE-via-Meow-Variant-along-with-an-Example-0day-PacketHackingVillage-Defcon29.html Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/50468 Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/50469 Exploit,Third Party Advisory,VDB Entry
https://pentest.com.tr/blog/RCE-via-Meow-Variant-along-with-an-Example-0day-PacketHackingVillage-Defcon29.html Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/50468 Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/50469 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43339, you might also want to check these: