Accellion recently released patches addressing four vulnerabilities in its File Transfer Appliance, a tool linked to a growing list of data breaches since December.
Background
On January 12, Accellion, a private cloud solutions company,published a statement regarding a security incident involving one of its customers. The statement revealed the presence of a “P0 (priority zero) vulnerability” in its File Transfer Appliance (FTA), a cloud or on-premises based solution for organizations to “transfer large and sensitive files.” The vulnerability was patched "within 72 hours" and affected "less than 50 customers," according to the Accellion statement.
Throughout January, multiple companies came forward acknowledging data breaches linked to Accellion’s FTA. In asubsequent statement on February 2, Accellion noted that in the weeks since the first P0 vulnerability was disclosed, it had identified “additional exploits” in FTA and had patched each of those vulnerabilities. However, the Feb. 2 statement did not share any specific details about these flaws or the versions of FTA that may be impacted.
At the time this blog post was published, at least 11 organizations had publicly confirmed being victims of data breaches associated with FTA.
On February 16, Accellion published the first descriptions for four vulnerabilities in FTA on its GitHub page.
Analysis
At the time this blog post was published, three of the four vulnerabilities received a CVSSv3 score of 9.8; the fourth did not yet have a score assigned to it.
CVE-2021-27101 is a SQL injection vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted request as part of the Host header to the document_root file on a vulnerable FTA endpoint.
CVE-2021-27103 is a Server-Side Request Forgery (SSRF) vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted POST request to the wmProgressstat file on a vulnerable FTA endpoint.
CVE-2021-27104 is an OS command injection vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted POST request to an FTA administrative endpoint.
CVE-2021-27102 is another OS command injection vulnerability. We do not know if it is similar to CVE-2021-27104 because no CVSSv3 vectors were available at the time this blog post was published. If it is similar, we would expect it to apply to the same FTA administrative endpoint.
While details for these vulnerabilities are quite limited, we intend to update this blog as more detailed information becomes available.
Successful exploitation of these flaws may allow attackers to view and exfiltrate files from vulnerable FTA instances.
CVE | CVSSv3 | Tenable VPR* |
---|---|---|
CVE-2021-27101 | 9.8 | 10.0 |
CVE-2021-27102 | N/A | 9.2 |
CVE-2021-27103 | 9.8 | 9.5 |
CVE-2021-27104 | 9.8 | 9.2 |
*Please note Tenable VPR scores are calculated nightly. This blog post was published on February 19 and reflects VPR at that time.
Unconfirmed connection to recently detailed web shell on FTA instance
On January 28, researchers at Guidepoint Security published a blog post detailing a joint investigation with deepwatch that analyzed a web shell found within an instance of Accellion’s FTA. Because of the timing of this publication, Tenable Research believes it may be an example of the attacks described, as the web shell analyzed would allow for an attacker to exfiltrate documents from a vulnerable FTA instance.
CL0P Ransomware claims responsibility for breach but denies Accellion connection
Recently, the CL0P ransomware group claimed responsibility for an attack on Jones Day, a U.S.-based international law firm. However, according to The Wall Street Journal, Jones Day is disputing the claim, saying the files pilfered were not from its network, but were the result of a breach in its use of Accellion’s FTA product.
The CL0P ransomware gang operates a leak website, a tactic pioneered by the Maze ransomware group in December 2019, which we discuss in our 2020 Threat Landscape Retrospective report. Leak websites are used to name and shame victims of ransomware attacks as a form of double extortion. The original extortion is the encryption of files on the victim’s network. The double extortion tactic involves exfiltrating data from the victim’s network and threatening to leak them publicly if ransom demands are not met. The ransomware groups post a sampling of files on these leak websites.
On the CL0P leak website (“CL0P LEAKS”), a cache of files associated with the Jones Day breach has been published. Files associated with Singtel, another organization recently linked to a data breach via Accellion’s FTA, have also appeared on the CL0P LEAKS website.
Image of list of affected organizations from the CL0P LEAKS website
It remains unclear whether or not the CL0P ransomware group exploited the vulnerabilities in Accellion’s FTA in order to steal files from these organizations. A section in the 44th edition of the Risky Business newsletter surmises that the CL0P ransomware group could be “helping other attackers monetise the theft of data” from these organizations.
Proof of concept
At the time this blog post was published there were no public proof-of-concept (PoC) exploits available for any of the four vulnerabilities in the FTA.
Solution
According to the recent publication of CVEs on Accellion’s GitHub page, there are two sets of patches for the SQL Injection and SSRF flaw as well as the OS Command Injection flaws. The following table lists the affected versions and fixed versions of FTA:
CVE | Affected FTA Versions | Patched FTA Version |
---|---|---|
CVE-2021-27101 | 9_12_370 and earlier | 9_12_380 and later |
CVE-2021-27102 | 9_12_411 and earlier | 9_12_416 and later |
CVE-2021-27103 | 9_12_370 and earlier | 9_12_380 and later |
CVE-2021-27104 | 9_12_411 and earlier | 9_12_416 and later |
FTA reaches end of life on April 30
As part of its recent statements, Accellion has published a document announcing the official end of life (EOL) for its FTA product is April 30, 2021. Accellion is instructing all legacy FTA customers to migrate over to its kiteworks solution.
Image Source: Accellion EOL Document for FTA
We strongly encourage all organizations to apply these available patches as soon as possible and create a migration plan to move away from FTA before its EOL.
Identifying affected systems
Tenable customers can utilize our existing detection plugin to identify Accellion File Transfer Appliance assets in your environment.
Because FTA will reach EOL on April 30, we will be releasing an unsupported version detection plugin 60 days before the EOL date. The plugin will be available here on March 1.
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
- Accellion Initial Statement Regarding Security Incident
- Accellion Updated Statement Regarding Security Incidents
- GitHub Repository for Accellion Vulnerability Descriptions
- Guidepoint Security Blog Post on FTA Web Shell
- Accellion End of Life Announcement for FTA
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.