CVE-2021-28249 in eHealth Performance Manager
Summary
by MITRE • 03/26/2021
** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. To exploit the vulnerability, the ehealth user must create a malicious library in the writable RPATH, to be dynamically linked when the FtpCollector executable is run. The code in the library will be executed as the root user. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/04/2024
The vulnerability identified as CVE-2021-28249 represents a critical privilege escalation flaw within CA eHealth Performance Manager versions 6.3.2.12 and earlier. This issue stems from improper handling of dynamically linked shared object libraries within the application's runtime environment, specifically affecting systems that have reached end-of-life support status. The vulnerability is particularly concerning as it demonstrates how legacy software can harbor dangerous security flaws that remain unpatched due to lack of vendor support, creating persistent risks for organizations that continue to operate deprecated systems.
The technical exploitation mechanism involves a classic shared library injection attack pattern where an attacker with access to the ehealth user account can place a malicious shared library within a writable RPATH directory. When the FtpCollector executable is subsequently executed, the system's dynamic linker automatically loads and executes the malicious library code with elevated privileges. This occurs because the FtpCollector executable is typically run with root privileges while maintaining a writable RPATH that allows arbitrary library loading. The vulnerability directly maps to CWE-426 Untrusted Search Path, which describes how applications that search for libraries in untrusted paths can be exploited through library injection attacks. This weakness allows attackers to execute arbitrary code with root privileges, fundamentally compromising system integrity.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with complete system control through the ehealth user account. Once exploited, the malicious code executes with root privileges, enabling full system compromise including data exfiltration, persistence establishment, and further network reconnaissance. The attack requires minimal privileges to initiate, as the ehealth user account typically has sufficient access to write to the RPATH directories. This makes the vulnerability particularly dangerous in environments where the ehealth service runs with elevated privileges and where the RPATH contains writable directories. From an attack chain perspective, this vulnerability aligns with ATT&CK technique T1068, which covers privilege escalation through dynamic link library injection, and T1546, covering exploitation for privilege escalation through changes to the dynamic link library search order.
Organizations affected by this vulnerability should immediately implement mitigations to address the root cause of the issue. The most effective approach involves modifying the FtpCollector executable's RPATH to remove writable directories and ensure that libraries are loaded from secure, trusted locations. Additionally, implementing strict file permissions on the RPATH directories can prevent unauthorized library injection. System administrators should also consider disabling the FtpCollector service if it is not actively required, as this eliminates the attack surface entirely. The vulnerability serves as a stark reminder of the risks associated with running unsupported software, as vendors no longer provide security updates or patches for deprecated products. Organizations should prioritize migrating to supported versions of the software or implementing additional security controls such as process monitoring and file integrity checking to detect potential exploitation attempts. The lack of vendor support for this vulnerability means that no official patches exist, making defensive measures critical for maintaining system security.