CVE-2021-4467
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to cause denial-of-service by flooding the client communication service on TCP port 2002 with HTTPS requests. The service fails to limit concurrent connections, leading to session identifier exhaustion and collisions that disconnect active client sessions. Organizations using Positive Technologies MaxPatrol 8 or XSpider are affected.
💻 Affected Systems
- Positive Technologies MaxPatrol 8
- Positive Technologies XSpider
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption preventing all client connections and security scanning operations, potentially leaving systems unmonitored.
Likely Case
Intermittent service interruptions causing client disconnections and degraded security monitoring capabilities.
If Mitigated
Minimal impact with proper network segmentation and rate limiting in place.
🎯 Exploit Status
Exploitation requires only basic scripting to send repeated HTTPS requests to port 2002.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Positive Technologies security advisories for specific patched versions
Vendor Advisory: https://www.ptsecurity.com/
Restart Required: Yes
Instructions:
1. Check Positive Technologies security advisory for specific patch version
2. Download and apply the security update from vendor portal
3. Restart the MaxPatrol/XSpider services
4. Verify service functionality post-update
🔧 Temporary Workarounds
Network Access Control
allRestrict access to TCP port 2002 to trusted management networks only
# Example firewall rule (Linux iptables)
iptables -A INPUT -p tcp --dport 2002 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 2002 -j DROP
Rate Limiting
linuxImplement connection rate limiting at network perimeter
# Example iptables rate limiting
iptables -A INPUT -p tcp --dport 2002 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 2002 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable service from untrusted networks
- Deploy network-based intrusion prevention systems with DoS protection rules for port 2002 traffic
🔍 How to Verify
Check if Vulnerable:
Test if TCP port 2002 is accessible and responds to HTTPS requests. Monitor for session exhaustion under load testing.Check Version:
Check application version in MaxPatrol/XSpider administration interface or configuration filesVerify Fix Applied:
Verify the service version matches patched release and test that repeated connection attempts no longer cause session collisions.📡 Detection & Monitoring
Log Indicators:
- Excessive connection attempts to port 2002
- Multiple session creation failures
- Unexpected client disconnections
Network Indicators:
- High volume of HTTPS traffic to port 2002 from single source
- Abnormal connection patterns to service port
SIEM Query:
source_port=2002 AND (event_count > 1000 per minute) OR (src_ip_count > 50 per minute)