CVE-2021-21885

Vulnerability

The Lantronix PremierWave 2050 Web Manager (version 8.9.0.0R4) contains a directory traversal vulnerability in the FsMove functionality. This feature, intended to move files within the /ltrx_user/ directory, fails to properly sanitize the cwd and dst HTTP POST parameters. An authenticated user with filesystem privileges can craft a request that includes path traversal sequences (e.g., ../) to move files from arbitrary locations on the device into the /ltrx_user/ directory [1].

Exploitation

An attacker must have valid credentials with filesystem-level access to the Web Manager. By sending a specially crafted HTTP POST request to the device, the attacker can manipulate the cwd and dst parameters to traverse outside the intended directory. For example, setting cwd=/../etc/ and dst=../ltrx_user/shadow moves /etc/shadow into the readable /ltrx_user/ directory [1]. No user interaction beyond the authenticated session is required.

Impact

Successful exploitation allows the attacker to read arbitrary files on the device, including sensitive system files such as /etc/shadow. This can lead to disclosure of password hashes and other confidential information, potentially enabling privilege escalation or further compromise of the device [1]. The vulnerability is classified as local file inclusion (CWE-22) with a CVSSv3 score of 7.2 (High).

Mitigation

As of the publication date (2021-12-22), no official firmware update has been released by Lantronix to address this vulnerability. The only mitigation is to restrict access to the Web Manager to trusted users and disable the filesystem privilege for non-administrative accounts where possible. The device should be monitored for unauthorized file access [1].