Privilege Escalation Vulnerability Discovered In RaspAP: CVE-2021-33356 / CX-2021-4794

Severity

Severity: 9.9 - Critical Severity

Advisory Timeline Summary
RaspAP prior to version 2.6.6 is vulnerable to Privilege Escalation.

Product

RaspAP prior to 2.6.6

Impact

Chaning this vulnerability with another one (see CVE-2021-33357 and CVE-2021-33358) enables an attacker to execute arbitrary commands with root privilages on the RaspAP instance.

Steps To Reproduce

  1. Using CVE-2021-33357 or CVE-2021-33358, appent a command to /etc/raspap/lighttpd/configport.sh.
  2. Run the script with sudo. You won’t be asked for a password and the command will be run as root.

Expected Result:

The file should only be editable to root.

Remediation

This issue was fixed in version 2.6.6 through the commit.

Properties

Attack Vector: Network

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Changed

Confidentiality: High

Integrity: High

Availability: High

Credit

This issue was discovered and reported by Checkmarx Security Researcher Omri Inbar.

Resources

  1. Commit (cae2031)