XoruX STOR2RRD/LPAR2RRD - Presence of hardcoded accounts (CVE-2021-42371)
Package
LPAR2RRD
(XoruX)
Affected versions
7.21
Patched versions
7.30
STOR2RRD
(XoruX)
7.21
7.30
Overview
A hardcoded system account used in XoruX LPAR2RRD and STOR2RRD appliances allow remote attacker to open a SSH session to the server hosting this service and use this server as a pivot to compromise the rest of the infrastructure.
XoruX appliances contain a hardcoded account, either “lpar2rrd” or “stor2rrd”, used to run the monitoring service but with a static password “xorux4you” assigned allowing remote connection as this user.
Details
Refer to dedicated report file
Proof of Concept
Refer to dedicated report file
Solution
Security patch
XoruX fixed this vulnerability in STOR2RRD/LPAR2RRD 7.30
Workaround
Improve user input filtering.
References
https://github.com/orangecertcc/security-research/blob/main/CVE-2021-42371/XoruX_LPAR2RRD_STOR2RRD_CVE-2021-42371.pdf
https://stor2rrd.com/note730.php
https://lpar2rrd.com/note730.php
https://nvd.nist.gov/vuln/detail/CVE-2021-42371
Credits
Orange CERT-CC
Simon GEUSEBROEK at Orange group
Timeline
Date reported: October 11, 2021
Date fixed: October 21, 2021