CVE-2021-27101

Description

Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.

Add Assessment

cdelafuente-r7 (96)

March 03, 2021 6:11pm UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Very High

Exploitability

Medium

Common in enterprise Unauthenticated Vulnerable in default configuration

Technical Analysis

Accellion’s legacy File Transfer Appliance (FTA) is an application to transfer large files securely. It is a 20-year-old product and will reach End of Life on April 30, 2021. Accellion recommends to migrate to kiteworks, its enterprise content firewall platform. According to this post, the SQL injection vulnerability is the starting point of a series of attacks against multiple organizations. This post reports that this vulnerability has been actively exploited since mid-December 2020 and is related to an ongoing ransomware campaign.

This SQL injection vulnerability enables an unauthenticated remote attacker to retrieve data from the database by sending specially crafted requests to the document_root file. Especifically, it has been exploited to retrieve a key that led to the installation of a web shell on the appliance. This web shell was then used to download sensitive data from the FTA internal database.

Due to the nature of this application, the data available is likely to be very sensitive and exploiting this vulnerability would lead to a critical information leak. As an emergency mitigation, external access to any vulnerable FTA should be shut down. However, this won’t block attacks coming from the internal network. It is highly recommended to patch to the latest version and to consider migrating to kiteworks.

NinjaOperator (83)

June 29, 2021 10:23pm UTC (3 years ago)•Edited 7 months ago

Technical Analysis

Over 20 orgs suffered breaches due to CVE-2021-27101, which affects Accellion FTA. Data has shown up on the Clop ransomware extortion website.
https://twitter.com/RecordedFuture/status/1408095974329888771

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

accellion

Products

Exploited in the Wild

Reported by:

cdelafuente-r7

Reported: March 03, 2021 6:11pm UTC (3 years ago)

gwillcox-r7 indicated sources as

Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)
Other: 2021 Most Exploited Vulnerabilities (https://www.ic3.gov/Media/News/2021/210728.pdf)

Reported: July 28, 2021 3:54pm UTC (3 years ago) • Edited 2 years ago

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:12am UTC (2 weeks ago)

References

Canonical

CVE-2021-27101 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27101)

Miscellaneous

https://www.accellion.com/products/fta/

https://github.com/accellion/CVEs/blob/main/CVE-2021-27101.txt

Ransomware (https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/)

Rapid7

Very High

Very High

Moderate

None

None

Network

CVE-2021-27101

Description