CVE-2021-21878

Vulnerability

The Web Manager Applications and FsBrowse functionality of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 suffers from a privilege mismatch. While Python scripts execute with reduced privileges (default user), the Filesystem > Browse page does not drop privileges, allowing an authenticated attacker to create a symlink to any file (e.g., /etc/shadow) and then read it with elevated privileges [1].

Exploitation

An attacker must be authenticated to the Web Manager. They upload and execute a Python script that creates a symlink from the browsable directory to a target file (e.g., os.system('ln -s /etc/shadow ./shadow')). Subsequently, they navigate to the Filesystem > Browse page and access the symlinked file, causing the content to be disclosed with root privileges [1].

Impact

Successful exploitation leads to local file inclusion, allowing the attacker to read arbitrary files on the device, including sensitive system files like /etc/shadow. This compromises confidentiality of the device's data. The attacker does not gain code execution but can exfiltrate sensitive information [1].

Mitigation

As of the published reference (2021-12-22), no firmware update has been released. The vulnerability was reported to Lantronix on 2021-06-14 and acknowledged, but no patch is confirmed. Users should restrict authenticated access to the Web Manager and monitor for firmware updates [1].