Skip to content

XoruX STOR2RRD/LPAR2RRD - Remote command injection (CVE-2021-42372)

High
orange-cert-cc published GHSA-xfw3-pgp3-5j2p Nov 16, 2021

Package

LPAR2RRD (XoruX)

Affected versions

7.21

Patched versions

7.30
STOR2RRD (XoruX)
7.21
7.30

Description

Overview

A shell command injection in HW Events SNMP community string in XoruX STOR2RRD allows authenticated remote attackers to execute arbitrary shell commands as the user running the service.

Details

Refer to dedicated report file

Proof of Concept

Refer to dedicated report file

Solution

Security patch

XoruX fixed this vulnerability in STOR2RRD/LPAR2RRD 7.30

Workaround

Improve user input filtering.

References

https://github.com/orangecertcc/security-research/blob/main/CVE-2021-42372/XoruX_LPAR2RRD_STOR2RRD_CVE-2021-42372.pdf
https://stor2rrd.com/note730.php
https://lpar2rrd.com/note730.php
https://nvd.nist.gov/vuln/detail/CVE-2021-42372

Credits

Orange CERT-CC
Simon GEUSEBROEK at Orange group

Timeline

Date reported: October 11, 2021
Date fixed: October 21, 2021

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2021-42372

Weaknesses