CVE-2021-38556

Vulnerability

includes/configure_client.php in RaspAP version 2.6.6 contains a command injection vulnerability. The script does not properly sanitize user-supplied input before passing it to a system command, allowing an attacker to inject arbitrary operating system commands. The vulnerability exists in the default installation and does not require any special configuration to be reachable [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the configure_client.php endpoint with malicious payload in the affected parameter(s). No authentication is required, and the attacker only needs network access to the RaspAP web interface. The injected commands are executed with the privileges of the web server user [1][2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the underlying operating system. This can lead to full compromise of the device, including data exfiltration, installation of backdoors, or lateral movement within the network. The impact is severe as RaspAP is often installed on network-facing devices like Raspberry Pi routers [1][2].

Mitigation

Users should upgrade to a patched version of RaspAP. The official GitHub repository has addressed this issue in subsequent releases; upgrading to the latest version is recommended. If upgrading is not immediately possible, administrators should restrict network access to the RaspAP web interface to trusted hosts only [1][2].