CVE-2021-47864
📋 TL;DR
CVE-2021-47864 is an unquoted service path vulnerability in OSAS Traverse Extension 11's TravExtensionHostSvc service. Attackers with local access can place malicious executables in the service path to execute code with LocalSystem privileges, potentially gaining full system control. Organizations using OSAS Traverse Extension 11 are affected.
💻 Affected Systems
- OSAS Traverse Extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with LocalSystem privileges leading to complete administrative control, data theft, and persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM-level access on compromised machines.
If Mitigated
Limited impact if proper access controls prevent local users from writing to service directories.
🎯 Exploit Status
Exploit requires local access to create files in the service path. Public exploit code exists on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://web.archive.org/web/20200817150522/https://www.osas.com/
Restart Required: Yes
Instructions:
1. Check vendor website for updates. 2. If patch available, download and install. 3. Restart affected service or system.
🔧 Temporary Workarounds
Quote Service Path
windowsModify the service configuration to use quoted paths in the service executable path.
sc config TravExtensionHostSvc binPath= "\"C:\Path\To\Service.exe\""
Restrict Directory Permissions
windowsSet strict permissions on directories in the service path to prevent unauthorized file creation.
icacls "C:\Path\To\Service" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from writing to service directories.
- Monitor for unauthorized file creation in service paths and suspicious service execution.
🔍 How to Verify
Check if Vulnerable:
Check if TravExtensionHostSvc service exists and has unquoted path: sc qc TravExtensionHostSvcCheck Version:
Check OSAS Traverse Extension version in installed programs or registry.Verify Fix Applied:
Verify service path is quoted and directory permissions are restricted.📡 Detection & Monitoring
Log Indicators:
- Event ID 7045 for service path changes
- Unauthorized file creation in service directories
Network Indicators:
- Unusual outbound connections from service account
SIEM Query:
EventID=7045 AND ServiceName="TravExtensionHostSvc" OR FileCreation IN ("*\Program Files\OSAS\*")