OS Command Injection Vulnerability in ZendTo by Zend Technologies

CVE-2021-47667

What is CVE-2021-47667?

CVE-2021-47667 is a serious security vulnerability found in ZendTo, a file transfer application developed by Zend Technologies. This vulnerability allows unauthenticated remote attackers to exploit the software by executing arbitrary operating system commands. Leveraging this flaw can lead to significant security risks for organizations using ZendTo, as attackers can manipulate the vulnerable file drop functionality, resulting in unauthorized command execution that may compromise sensitive data or system integrity.

Technical Details

The vulnerability resides in the lib/NSSDropoff.php file of ZendTo versions ranging from 5.24-3 to 6.x before 6.10-7. It is characterized as an OS command injection flaw, where attackers can send specially crafted POST requests to the /dropoff endpoint, injecting shell metacharacters through the tmp_name parameter. This improper handling allows the execution of arbitrary commands on the server, exposing the system to unauthorized access and manipulation.

Potential Impact of CVE-2021-47667

1. Arbitrary Code Execution: Attackers can execute any command on the affected server, potentially leading to complete system compromise. This could allow them to install malware, steal sensitive information, or manipulate system operations.

2. Data Breach Risks: Unauthorized command execution can lead to data breaches, where sensitive files and information may be accessed or exfiltrated by malicious actors.

3. Disruption of Services: By executing harmful commands, attackers can disrupt normal operations of the ZendTo service, impacting business continuity and affecting users relying on the file transfer system.

References