CVE-2021-21888

Vulnerability

An OS command injection vulnerability exists in the Web Manager SslGenerateCertificate function of the Lantronix PremierWave 2050 (firmware version 8.9.0.0R4, tested in QEMU). The function composes an openssl system command using attacker-controlled POST parameters (e.g., sslcredentialname, keytype, bits, curve_bits, cn, ou, o, l, s, c) without proper sanitization. The command is executed with root privileges [1].

Exploitation

An attacker must first authenticate to the Web Manager with a user account that has ssl group write authorization. The attacker then sends a specially crafted HTTP POST request to the SslGenerateCertificate endpoint, embedding OS command injection payloads in one or more of the unsanitized parameters. No additional user interaction or race condition is required. The command runs with full root privileges [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary OS commands as root. This can lead to full compromise of the device, including data disclosure, modification, denial of service, and use as a pivot point within the network. The CVSSv3 score is 9.1 (Critical) due to network access, low attack complexity, high privileges required, changed scope, and high impact on confidentiality, integrity, and availability [1].

Mitigation

Lantronix has not released a fixed firmware version in the available references. Users should restrict access to the Web Manager to trusted users and networks, apply the principle of least privilege for accounts with ssl write permissions, and monitor for suspicious activity. If possible, disable the SSL certificate generation feature or block HTTP POST requests to the vulnerable endpoint. Until a patch is provided, the device remains at risk [1].