Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Accellion Patches Four Vulnerabilities in File Transfer Appliance (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104)

Accellion Patches Four Vulnerabilities in File Transfer Appliance (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104)

Accellion recently released patches addressing four vulnerabilities in its File Transfer Appliance, a tool linked to a growing list of data breaches since December.

Update February 22, 2021: The scoring and details of CVE-2021-27102 were updated to reflect the addition of further details to its NVD entry.

Background

On January 12, Accellion, a private cloud solutions company, published a statement regarding a security incident involving one of its customers. The statement revealed the presence of a “P0 (priority zero) vulnerability” in its File Transfer Appliance (FTA), a cloud or on-premises based solution for organizations to “transfer large and sensitive files.” The vulnerability was patched "within 72 hours" and affected "less than 50 customers," according to the Accellion statement.

Throughout January, multiple companies came forward acknowledging data breaches linked to Accellion’s FTA. In a subsequent statement on February 2, Accellion noted that in the weeks since the first P0 vulnerability was disclosed, it had identified “additional exploits” in FTA and had patched each of those vulnerabilities. However, the Feb. 2 statement did not share any specific details about these flaws or the versions of FTA that may be impacted.

At the time this blog post was published, at least 11 organizations had publicly confirmed being victims of data breaches associated with FTA.

On February 16, Accellion published the first descriptions for four vulnerabilities in FTA on its GitHub page.

Analysis

At the time this blog post was published, three of the four vulnerabilities received a CVSSv3 score of 9.8, while the fourth was assigned a score of 7.8.

CVE-2021-27101 is a SQL injection vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted request as part of the Host header to the document_root file on a vulnerable FTA endpoint.

CVE-2021-27103 is a Server-Side Request Forgery (SSRF) vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted POST request to the wmProgressstat file on a vulnerable FTA endpoint.

CVE-2021-27104 is an OS command injection vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted POST request to an FTA administrative endpoint.

CVE-2021-27102 is another OS command injection vulnerability. An attacker with local access and low privileges could exploit this vulnerability.

While details for these vulnerabilities are quite limited, we intend to update this blog as more detailed information becomes available.

Successful exploitation of these flaws may allow attackers to view and exfiltrate files from vulnerable FTA instances.

CVE CVSSv3 Tenable VPR*
CVE-2021-27101 9.8 10.0
CVE-2021-27102 7.8 9.2
CVE-2021-27103 9.8 9.5
CVE-2021-27104 9.8 9.2

*Please note Tenable VPR scores are calculated nightly. This blog post was published on February 19 and reflects VPR at that time.

Unconfirmed connection to recently detailed web shell on FTA instance

On January 28, researchers at Guidepoint Security published a blog post detailing a joint investigation with deepwatch that analyzed a web shell found within an instance of Accellion’s FTA. Because of the timing of this publication, Tenable Research believes it may be an example of the attacks described, as the web shell analyzed would allow for an attacker to exfiltrate documents from a vulnerable FTA instance.

CL0P Ransomware claims responsibility for breach but denies Accellion connection

Recently, the CL0P ransomware group claimed responsibility for an attack on Jones Day, a U.S.-based international law firm. However, according to The Wall Street Journal, Jones Day is disputing the claim, saying the files pilfered were not from its network, but were the result of a breach in its use of Accellion’s FTA product.

The CL0P ransomware gang operates a leak website, a tactic pioneered by the Maze ransomware group in December 2019, which we discuss in our 2020 Threat Landscape Retrospective report. Leak websites are used to name and shame victims of ransomware attacks as a form of double extortion. The original extortion is the encryption of files on the victim’s network. The double extortion tactic involves exfiltrating data from the victim’s network and threatening to leak them publicly if ransom demands are not met. The ransomware groups post a sampling of files on these leak websites.

On the CL0P leak website (“CL0P LEAKS”), a cache of files associated with the Jones Day breach has been published. Files associated with Singtel, another organization recently linked to a data breach via Accellion’s FTA, have also appeared on the CL0P LEAKS website.

Accellion Patches CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104

Image of list of affected organizations from the CL0P LEAKS website

It remains unclear whether or not the CL0P ransomware group exploited the vulnerabilities in Accellion’s FTA in order to steal files from these organizations. A section in the 44th edition of the Risky Business newsletter surmises that the CL0P ransomware group could be “helping other attackers monetise the theft of data” from these organizations.

Proof of concept

At the time this blog post was published there were no public proof-of-concept (PoC) exploits available for any of the four vulnerabilities in the FTA.

Solution

According to the recent publication of CVEs on Accellion’s GitHub page, there are two sets of patches for the SQL Injection and SSRF flaw as well as the OS Command Injection flaws. The following table lists the affected versions and fixed versions of FTA:

CVE Affected FTA Versions Patched FTA Version
CVE-2021-27101 9_12_370 and earlier 9_12_380 and later
CVE-2021-27102 9_12_411 and earlier 9_12_416 and later
CVE-2021-27103 9_12_370 and earlier 9_12_380 and later
CVE-2021-27104 9_12_411 and earlier 9_12_416 and later

FTA reaches end of life on April 30

As part of its recent statements, Accellion has published a document announcing the official end of life (EOL) for its FTA product is April 30, 2021. Accellion is instructing all legacy FTA customers to migrate over to its kiteworks solution.

Accellion Patches CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104_Image 2

Image Source: Accellion EOL Document for FTA

We strongly encourage all organizations to apply these available patches as soon as possible and create a migration plan to move away from FTA before its EOL.

Identifying affected systems

Tenable customers can utilize our existing detection plugin to identify Accellion File Transfer Appliance assets in your environment.

Because FTA will reach EOL on April 30, we will be releasing an unsupported version detection plugin 60 days before the EOL date. The plugin will be available here on March 1.

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.