Unauthenticated Command Injection Vulnerability Discovered In RaspAP: CVE-2021-33357 / CX-2021-4795

Severity

Severity: 10 - Critical Severity

Advisory Timeline Summary
RaspAP prior to version 2.6.6 is vulnerable to Unauthenticated Command Injection.

Product

RaspAP prior to 2.6.6

Impact

An unauthenticated attacker can execute arbitrary OS commands on any RaspAP instance prior tp 2.6.6. This can be chained with a privilege escalation exploit (CVE-2021-33356) to achieve root access.

Steps To Reproduce

  1. Navigate to: http://raspap-ip/ajax/networking/get_netcfg.php?iface=;YOUR-COMMAND-HERE;

Expected Result:

Your injected command should run on the RaspAP host.

Remediation

This issue was fixed in version 2.6.6 through the commit.

Properties

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Changed

Confidentiality: High

Integrity: High

Availability: High

Credit

This issue was discovered and reported by Checkmarx Security Researcher Omri Inbar.

Resources

  1. Commit (cae2031)