CVE-2021-46113 – CVE-2021-46113 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2021-46113?

CVE-2021-46113 has a CVSS score of 8.8 (HIGH). CVE-2021-46113 is a remote code execution vulnerability in KEA-Hotel-ERP open source software that allows attackers to upload malicious PHP files through a file upload vulnerability. This affects all users running vulnerable versions of KEA-Hotel-ERP. Successful exploitation gives attackers full control over the affected system.

📋 TL;DR

CVE-2021-46113 is a remote code execution vulnerability in KEA-Hotel-ERP open source software that allows attackers to upload malicious PHP files through a file upload vulnerability. This affects all users running vulnerable versions of KEA-Hotel-ERP. Successful exploitation gives attackers full control over the affected system.

💻 Affected Systems

Products:

KEA-Hotel-ERP

Versions: All versions up to and including December 31, 2021

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the file upload functionality without proper validation of uploaded file types.

📦 What is this software?

Kea Hotel Erp by Kea Hotel Erp Project

View all CVEs affecting Kea Hotel Erp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attackers upload web shells to gain remote access, steal hotel guest data, modify reservations, and potentially disrupt hotel operations.

🟢

If Mitigated

With proper file upload validation and web application firewalls, exploitation attempts are blocked and logged for investigation.

🌐 Internet-Facing: HIGH - The vulnerability allows unauthenticated remote exploitation, making internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or attackers who gain initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits and demonstration videos are available. The attack requires only web access to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative hotel management software or implementing strict workarounds.

🔧 Temporary Workarounds

Restrict PHP file uploads

all

Configure web server to block PHP file uploads and execution in upload directories

# In Apache .htaccess in upload directory:
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>
# In Nginx location block:
location ~* \.php$ {
    deny all;
    return 403;
}

Implement file type validation

all

Add server-side validation to only allow specific safe file extensions

# Example PHP validation snippet:
$allowed_extensions = ['jpg', 'png', 'pdf', 'doc'];
$file_extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_extensions)) {
    die('Invalid file type');
}

🧯 If You Can't Patch

Isolate the KEA-Hotel-ERP system in a separate network segment with strict firewall rules
Implement a web application firewall (WAF) with rules to block PHP file uploads and suspicious requests

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a PHP file to the file upload endpoint. If successful without validation, the system is vulnerable.

Check Version:

Check the software version in the admin panel or review the source code for version indicators

Verify Fix Applied:

Test file upload functionality with PHP files - they should be rejected. Also verify web server configuration blocks PHP execution in upload directories.

📡 Detection & Monitoring

Log Indicators:

PHP file uploads in web server logs
Unusual POST requests to upload endpoints
Execution of PHP files from upload directories

Network Indicators:

HTTP POST requests with PHP file content to upload endpoints
Subsequent requests to uploaded PHP files

SIEM Query:

source="web_server" AND (uri="*upload*" AND file_extension="php") OR (uri="*/uploads/*.php")

📊 Metadata

CVE ID: CVE-2021-46113

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: January 25, 2022

Last Updated: November 21, 2024

🔗 References

https://blog.pocas.kr/posts/rce-KEA-Hotel-ERP/ Broken Link
https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa#cve-2021-46113 Exploit,Third Party Advisory
https://www.youtube.com/watch?v=gnSMrvV5e9w Exploit,Third Party Advisory
https://blog.pocas.kr/posts/rce-KEA-Hotel-ERP/ Broken Link
https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa#cve-2021-46113 Exploit,Third Party Advisory
https://www.youtube.com/watch?v=gnSMrvV5e9w Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46113, you might also want to check these: