Vembu BDR Full Disclosure
25 Aug 2021 - Frank Breedijk
On 15 May 2021 we published case DIVD-2020-00011, which dealt with four vulnerabilities in Vembu BDR and related products. These four vulnerabilities here confidentially reported to Vembu in November 2020 and again in Februari 2021.
From recent scan data we know that the three most damaging vulnerabilities have practically seized to be present on the internet, therefore we have decided to release the full technical details on these vulnerabilities.
When we notified Vembu in March of this year we identified over a 1000 instanaces of Vembu BDR and related products with a least one vulnerability. Of these instances nearly 90 where also vulnerable to a Remote Code Execution vunerability (RCE). A rescan on the first of July showed a dramatic drop, only 55 vulnerable instances remained online of which only a hand full still cotained the RCE. A rescan in August confirmed that these number remain low and we now deam it save to release the full details on the vulnerabilities we foun, except for -2021-26474 is still present on over 50 internet facing system.
The details of the disclosed vulnerabilities can be found in the links below:
- CVE-2021-26471 - unauthenticated RCE
- CVE-2021-26472 - unauthenticated RCE with SYSTEM privileges
- CVE-2021-26473 - unauthenticated arbitrary file upload and RCE