CVE-2021-21805

Vulnerability

An OS command injection vulnerability exists in the ping.php script of Advantech R-SeeNet version 2.4.12 (20.10.2020) [1]. The script accepts a hostname parameter via HTTP GET request without any authentication. The parameter is directly concatenated into a popen() call without sanitization, allowing an attacker to inject arbitrary OS commands [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to the ping.php endpoint with a malicious hostname parameter [1]. No user interaction or prior authentication is required. The attacker only needs network access to the R-SeeNet web interface.

Impact

Successful exploitation leads to arbitrary OS command execution with the privileges of the web server process [1]. This can result in full compromise of the affected system, including disclosure of sensitive data, modification of files, and potential denial of service. The CVSSv3 score is 9.8 (Critical) [1].

Mitigation

As of the publication date (2021-08-05), no official patch has been released by Advantech [1]. Users should restrict network access to the R-SeeNet web interface to trusted hosts and monitor for any updates from the vendor. If possible, disable the ping.php script or apply input validation as a workaround.