CVE-2021-29641 in Directus
Summary
by MITRE • 04/08/2021
Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2021
The vulnerability CVE-2021-29641 affects Directus 8 versions prior to 8.8.2 and represents a critical security flaw that enables authenticated remote attackers to achieve arbitrary code execution. This vulnerability stems from insufficient file upload permission controls within the application's file management system, specifically targeting the main upload directory and subdirectories where .php files can be uploaded. The flaw is particularly concerning because it allows attackers to upload malicious PHP scripts that can be executed on the server, providing them with persistent access to the underlying infrastructure.
The technical implementation of this vulnerability involves a combination of inadequate access controls and server configuration dependencies. Attackers with authenticated access can leverage file upload capabilities to place PHP shell scripts in strategic locations within the application's file structure. When the local-storage driver is used in conjunction with Apache HTTP Server configurations, these uploaded PHP files become executable, creating a persistent backdoor. The vulnerability specifically targets installations where the default Docker image from hub.docker.com is used, which typically includes Apache as the web server and the local-storage driver for file handling. This creates a perfect storm where the application's default configuration, combined with the file upload functionality, enables code execution without requiring additional exploitation steps.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it allows attackers to establish persistent access to the affected system. Once a PHP file is uploaded and executed, threat actors can use the compromised server as a foothold for further attacks within the network, potentially leading to data breaches, lateral movement, and complete system compromise. The vulnerability affects organizations that rely on Directus 8 for content management and file handling, particularly those using the default Docker deployment configurations. The risk is compounded by the fact that authentication is required to exploit this vulnerability, meaning that attackers must first gain valid user credentials, but once achieved, they can execute code with the privileges of the web server process.
Organizations should immediately implement mitigations including upgrading to Directus 8.8.2 or later versions that address this vulnerability through enhanced file upload permission controls. The recommended approach involves restricting file upload capabilities to prevent PHP file uploads and implementing proper file type validation and sanitization. Additionally, organizations should consider implementing web application firewalls to monitor and block suspicious file upload activities. The vulnerability aligns with CWE-434 which describes insecure file upload vulnerabilities, and represents a technique that falls under the ATT&CK matrix category of T1105 Command and Control Communication. Security teams should also review their Docker deployment configurations to ensure that unnecessary file upload capabilities are disabled and that proper access controls are implemented at both the application and server levels. Regular security audits should be conducted to identify and remediate similar permission flaws that could enable similar code execution scenarios in other applications or systems.