XoruX STOR2RRD/LPAR2RRD - Remote command injection (CVE-2021-42372)
Package
LPAR2RRD
(XoruX)
Affected versions
7.21
Patched versions
7.30
STOR2RRD
(XoruX)
7.21
7.30
Overview
A shell command injection in HW Events SNMP community string in XoruX STOR2RRD allows authenticated remote attackers to execute arbitrary shell commands as the user running the service.
Details
Refer to dedicated report file
Proof of Concept
Refer to dedicated report file
Solution
Security patch
XoruX fixed this vulnerability in STOR2RRD/LPAR2RRD 7.30
Workaround
Improve user input filtering.
References
https://github.com/orangecertcc/security-research/blob/main/CVE-2021-42372/XoruX_LPAR2RRD_STOR2RRD_CVE-2021-42372.pdf
https://stor2rrd.com/note730.php
https://lpar2rrd.com/note730.php
https://nvd.nist.gov/vuln/detail/CVE-2021-42372
Credits
Orange CERT-CC
Simon GEUSEBROEK at Orange group
Timeline
Date reported: October 11, 2021
Date fixed: October 21, 2021