CVE-2021-43829
📋 TL;DR
CVE-2021-43829 is an unrestricted file upload vulnerability in PatrOwl Manager's findings import feature. Attackers can upload malicious files leading to cross-site scripting (XSS) and potential code injection. All PatrOwl Manager instances prior to version 1.7.7 are affected.
💻 Affected Systems
- PatrOwl Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.
Likely Case
Cross-site scripting attacks stealing session cookies, performing actions as authenticated users, and defacing the application.
If Mitigated
Limited impact with proper file validation and server hardening, though XSS may still affect users.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public proof-of-concept exists in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.7
Vendor Advisory: https://github.com/Patrowl/PatrowlManager/security/advisories/GHSA-5hc9-6hq4-2xfx
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop PatrOwl Manager service. 3. Update to version 1.7.7 via git pull or package update. 4. Restart PatrOwl Manager service. 5. Verify functionality.
🔧 Temporary Workarounds
Disable findings import feature
allTemporarily disable the vulnerable findings import functionality until patching is possible.
# Modify PatrOwl Manager configuration to disable import features
# Check documentation for specific configuration options
🧯 If You Can't Patch
- Implement strict web application firewall (WAF) rules to block file uploads with dangerous extensions
- Restrict network access to PatrOwl Manager to only trusted IP addresses and users
🔍 How to Verify
Check if Vulnerable:
Check PatrOwl Manager version via web interface or configuration files. If version is below 1.7.7, system is vulnerable.Check Version:
Check web interface or grep for version in configuration files: grep -r 'version' /path/to/patrowl/config/Verify Fix Applied:
After updating, verify version is 1.7.7 or higher and test file upload functionality with restricted file types.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to findings import endpoint
- Uploads with non-standard file extensions
- Multiple failed upload attempts
Network Indicators:
- HTTP POST requests to /findings/import endpoint with file uploads
- Uploads of files with dangerous extensions (.php, .html, .js)
SIEM Query:
source="patrowl" AND (url="/findings/import" OR method="POST") AND file_extension IN ("php", "html", "js", "exe", "sh")🔗 References
- https://github.com/Patrowl/PatrowlManager/commit/2287c9715d2e7ef11b44bb0ad4a57727654f2203
- https://github.com/Patrowl/PatrowlManager/security/advisories/GHSA-5hc9-6hq4-2xfx
- https://huntr.dev/bounties/17324785-f83a-4058-ac40-03f2bfa16399/
- https://github.com/Patrowl/PatrowlManager/commit/2287c9715d2e7ef11b44bb0ad4a57727654f2203
- https://github.com/Patrowl/PatrowlManager/security/advisories/GHSA-5hc9-6hq4-2xfx
- https://huntr.dev/bounties/17324785-f83a-4058-ac40-03f2bfa16399/
