CVE-2021-21879

Vulnerability

A directory traversal vulnerability exists in the Web Manager File Upload functionality of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 [1]. The function handles file uploads via HTTP POST parameters cwd and selectedfile. While the filename in selectedfile is sanitized against path traversal, the cwd parameter is not, allowing an attacker to traverse outside the intended /ltrx_user/ directory by providing values such as /../bin/ [1].

Exploitation

An unprivileged but authenticated attacker can send a crafted HTTP POST request to the /fs endpoint [1]. The request includes two form-data fields: cwd with traversal sequences (e.g., /../bin/) and selectedfile with a chosen filename. The system concatenates the unsanitized cwd with the sanitized filename, writing the uploaded content to an arbitrary location on the filesystem [1].

Impact

Successful exploitation allows arbitrary file overwrite. Since system executables (e.g., /bin/traceroute) can be replaced with malicious content, an attacker can achieve remote code execution as root, as demonstrated by overwriting a script that may be executed by privileged processes [1]. The CVSSv3 score is 9.9, indicating critical severity with high impact on confidentiality, integrity, and availability, and the scope is changed [1].

Mitigation

As of the reference publication date (2021-12-22), no vendor patch or fixed version was announced [1]. Users should restrict network access to the device's web manager to trusted hosts and apply the principle of least privilege for user accounts. No workaround is provided by the vendor [1].