CVE-2021-47887
📋 TL;DR
CVE-2021-47887 is an unquoted service path vulnerability in OKI Print Job Accounting 4.4.10 that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in the service path to hijack the OkiJaSvc service. This affects organizations using OKI Print Job Accounting software on Windows systems.
💻 Affected Systems
- OKI Print Job Accounting
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation to SYSTEM-level access, enabling complete control over the affected system and potential lateral movement within the network.
Likely Case
Local privilege escalation allowing attackers to gain administrative privileges on the compromised system, install malware, or access sensitive data.
If Mitigated
Limited impact with proper access controls preventing local users from writing to the vulnerable directory path.
🎯 Exploit Status
Exploitation requires local access to create malicious executables in the vulnerable directory path. Proof of concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified by vendor
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Check OKI website for updated version
2. If available, download and install the patched version
3. Verify the service path is properly quoted after installation
🔧 Temporary Workarounds
Add quotes to service path
windowsManually edit the service configuration to add quotes around the service executable path
sc config OkiJaSvc binPath= "\"C:\Program Files\Okidata\Print Job Accounting\OkiJaSvc.exe\""
Restrict directory permissions
windowsRemove write permissions for non-administrative users on the vulnerable directory path
icacls "C:\Program Files\Okidata\Print Job Accounting" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local users from writing to the vulnerable directory path
- Monitor for suspicious file creation in 'C:\Program Files\Okidata\Print Job Accounting\' directory
🔍 How to Verify
Check if Vulnerable:
Check if OkiJaSvc service path contains spaces without quotes: sc qc OkiJaSvc | findstr BINARY_PATH_NAMECheck Version:
Check installed version through Control Panel > Programs and Features or the application interfaceVerify Fix Applied:
Verify service path is properly quoted: sc qc OkiJaSvc should show quotes around the full path📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unauthorized file creation in the vulnerable directory
- Service control manager logs showing OkiJaSvc service modifications
Network Indicators:
- Unusual outbound connections from systems running OKI Print Job Accounting
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%OkiJaSvc%' OR CommandLine LIKE '%OkiJaSvc%')