Overview of CVE-2021-28970 and CVE-2021-28969

This report is about two vulnerabilities affecting FireEye EX 3500. Successful exploitation of this vulnerability may allow the attacker to view, add, modify, or delete information in the back-end database. If your company uses this FireEye EX 3500 e-mail security appliance product, it is highly recommended that vendor-supplied patches are applied as soon as possible to mitigate the risk of exploitation of this vulnerability.

Tactics, Techniques, and Procedures

The vulnerabilities are identified as CVE-2021-28970 and CVE-2021-28969. To successfully exploit these vulnerabilities, a remote authenticated attacker could send specially-crafted SQL statements to the email search feature using the job_id parameter or to the email search feature script using the sort_by parameter, which may give the attacker access to information in the back-end database.

The CVE-2021-28970 vulnerability occurs when an attacker logs on to the WebGUI of the central management as a remote authorized user and searches for processed e-mails. The authenticated user conducts the SQL injection attack via the job_id parameter to the email search feature.

The CVE-2021-28969 vulnerability allows remote authenticated users to conduct SQL injection attacks through the sort_by parameter to the email search feature. Due to missing sanitization of user-controlled input, the web application is vulnerable to SQL injection, allowing to extract of data from the back-end database.

Business Unit Impact

  • An attacker may be able to view, add, modify, or delete information in the back-end database.
  • Data manipulation may affect the integrity of company information.

Our Recommendations

  • Upgrade to the latest version of FireEye EMPS (9.0.3 or later), available from the FireEye website.

Sources

Supporting Documentation

MITRE Mapping(s)

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.