Login Sign Up

CVE-2021-44429

7.5 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

CVE-2021-44429 is a buffer overflow vulnerability in Serva TFTP server that allows remote attackers to crash the daemon via specially crafted TFTP read requests. This affects Serva 4.4.0 installations with TFTP enabled. The vulnerability is related to a similar issue previously identified as CVE-2013-0145.

💻 Affected Systems

Products:
  • Serva
Versions: 4.4.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Serva installations with TFTP service enabled. Serva is primarily used for PXE boot and network installation services.

📦 What is this software?

Serva by Vercot

View all CVEs affecting Serva →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if buffer overflow can be controlled to execute arbitrary code.

🟠

Likely Case

Denial of service through daemon crash, disrupting TFTP services and potentially affecting PXE boot operations.

🟢

If Mitigated

Limited to service disruption if exploit only triggers crash without code execution.

🌐 Internet-Facing: HIGH - TFTP servers exposed to internet can be attacked by anyone without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to disrupt network boot services.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on Packet Storm. TFTP protocol requires no authentication, making exploitation trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.0 or later

Vendor Advisory: https://www.vercot.com/~serva/

Restart Required: Yes

Instructions:

1. Download Serva 4.5.0 or later from official website. 2. Stop Serva service. 3. Install new version. 4. Restart Serva service.

🔧 Temporary Workarounds

Disable TFTP Service

windows

Disable TFTP functionality in Serva if not required for operations.

Edit Serva.ini and set TFTP=0
Restart Serva service

Network Segmentation

windows

Restrict TFTP port (69/UDP) access to trusted networks only.

Windows Firewall: New Inbound Rule blocking UDP port 69 from untrusted networks

🧯 If You Can't Patch

  • Implement strict network access controls to limit TFTP port access to required systems only.
  • Monitor Serva logs for crash events and implement alerting for service disruptions.

🔍 How to Verify

Check if Vulnerable:

Check Serva version in GUI or Serva.ini file for version 4.4.0.

Check Version:

Check Serva.ini file or Serva GUI for version information

Verify Fix Applied:

Verify Serva version is 4.5.0 or later and test TFTP functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

  • Serva service crash logs
  • TFTP error messages in Serva logs
  • System event logs showing service termination

Network Indicators:

  • Unusual TFTP traffic patterns
  • Multiple TFTP RRQ requests from single source
  • TFTP packets with malformed opcode 1

SIEM Query:

source="serva.log" AND ("crash" OR "error" OR "terminated") OR destination_port=69 AND protocol=UDP AND packet_size>512

📊 Metadata

CVE ID: CVE-2021-44429
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-120
Published: November 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44429, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)