CVE-2021-43973
📋 TL;DR
This vulnerability allows authenticated remote attackers to upload arbitrary files to SysAid ITIL servers via the /UploadPsIcon.jsp endpoint. Successful exploitation reveals the server-side file path, potentially enabling further attacks like remote code execution. Organizations running vulnerable SysAid ITIL versions are affected.
💻 Affected Systems
- SysAid ITIL
📦 What is this software?
Sysaid by Sysaid
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Webshell deployment allowing persistent access, file system manipulation, and potential privilege escalation.
If Mitigated
Limited to file upload with path disclosure but no execution due to proper file validation and security controls.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once authenticated. Public proof-of-concept exists in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.sysaid.com/it-service-management-software/incident-management
Restart Required: Yes
Instructions:
1. Check SysAid vendor advisory for patched version. 2. Backup configuration and data. 3. Apply the patch or upgrade to fixed version. 4. Restart SysAid services. 5. Verify fix by testing upload functionality.
🔧 Temporary Workarounds
Disable /UploadPsIcon.jsp endpoint
allBlock or remove access to the vulnerable endpoint via web server configuration or application firewall.
# Example for Apache: RewriteRule ^/UploadPsIcon\.jsp$ - [F]
# Example for Nginx: location = /UploadPsIcon.jsp { return 403; }
Implement file upload restrictions
allConfigure web application firewall or reverse proxy to restrict file uploads to specific types and sizes.
# WAF rule example: Block .jsp, .war, .jar uploads
# ModSecurity: SecRule FILES_TMPNAMES "@rx \.(jsp|war|jar)$" "deny"
🧯 If You Can't Patch
- Implement network segmentation to isolate SysAid servers from critical systems
- Deploy application-level controls like WAF with specific rules blocking malicious file uploads
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a test file via POST to /UploadPsIcon.jsp with file parameter. If successful and returns server path, system is vulnerable.Check Version:
Check SysAid administration interface or configuration files for version information.Verify Fix Applied:
Attempt the same upload test after patching; should fail or return error without path disclosure.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /UploadPsIcon.jsp
- File upload activity with unusual file extensions
- Error logs showing path disclosure
Network Indicators:
- POST requests to /UploadPsIcon.jsp with file uploads
- Unusual outbound connections from SysAid server
SIEM Query:
source="sysaid" AND (url="/UploadPsIcon.jsp" OR file_upload="true")🔗 References
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2021-0002.md
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0001.md
- https://www.sysaid.com/it-service-management-software/incident-management
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2021-0002.md
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0001.md
- https://www.sysaid.com/it-service-management-software/incident-management
