CVE-2021-47884
📋 TL;DR
CVE-2021-47884 is an unquoted service path vulnerability in OKI Configuration Tool 1.6.53 that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in the service path to hijack execution when the OKI Local Port Manager service starts. This affects Windows systems running the vulnerable OKI software.
💻 Affected Systems
- OKI Configuration Tool
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation to SYSTEM, enabling persistent backdoors, data theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to gain administrative privileges on the compromised system.
If Mitigated
Limited impact if proper access controls prevent local users from writing to Program Files directories.
🎯 Exploit Status
Exploit requires local access and ability to create files in the vulnerable directory path. Proof-of-concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - check vendor for updates
Vendor Advisory: https://www.oki.com/me/printing/services-and-solutions/smart-solutions/print-job-accounting/index.html
Restart Required: Yes
Instructions:
1. Check OKI website for updated Configuration Tool version. 2. Uninstall vulnerable version. 3. Install patched version. 4. Restart system to ensure service updates take effect.
🔧 Temporary Workarounds
Apply proper service path quoting
windowsManually edit the service configuration to use quoted paths
sc config "OKI Local Port Manager" binPath="\"C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe\""
Restrict directory permissions
windowsRemove write permissions for non-administrative users on the vulnerable directory
icacls "C:\Program Files\Okidata\Common\extend3" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Disable the OKI Local Port Manager service if not required
- Implement strict access controls to prevent local users from writing to Program Files directories
🔍 How to Verify
Check if Vulnerable:
Check service configuration: sc qc "OKI Local Port Manager" and look for unquoted path containing spacesCheck Version:
Check installed programs in Control Panel or run: wmic product where "name like '%OKI%Configuration%Tool%'" get versionVerify Fix Applied:
Verify service path is properly quoted: sc qc "OKI Local Port Manager" should show quoted path📡 Detection & Monitoring
Log Indicators:
- Service control manager events showing OKI Local Port Manager service starting from unexpected locations
- File creation events in C:\Program Files\Okidata\Common\extend3\ directory by non-admin users
Network Indicators:
- Unusual outbound connections from systems running OKI software
SIEM Query:
EventID=7045 AND ServiceName="OKI Local Port Manager" AND ImagePath="*Program Files*Okidata*Common*extend3*portmgrsrv.exe"