CVE-2021-21883

Vulnerability

The Lantronix PremierWave 2050 firmware version 8.9.0.0R4 contains an OS command injection vulnerability in the Web Manager Diagnostics Ping functionality. The host parameter is not properly sanitized before being used in a shell command via ndisc6. If the host parameter starts with fe80: and does not contain a % symbol, it is injected directly into the command format string, allowing arbitrary command execution. [1]

Exploitation

An attacker must be authenticated to access the Web Manager. By sending a specially crafted HTTP POST request to the diagnostics Ping endpoint with a malicious host parameter, the attacker can inject arbitrary OS commands. The crafted parameter bypasses the zone ID check and is inserted into the command executed by exec_system_cmd_print with root privileges. [1]

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands with root privileges. This can lead to full compromise of the device, including data disclosure, modification, or denial of service. The CVSSv3 score is 9.9 (Critical). [1]

Mitigation

As of the publication date, no patched version has been released by Lantronix. Users should restrict network access to the Web Manager to trusted hosts and consider disabling the Ping diagnostic feature if not needed. [1]