CVE-2021-28909
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform brute force attacks against the login service of BAB TECHNOLOGIE GmbH eibPort V3 devices. Attackers can guess weak passwords using the default 'admin' username, potentially gaining SSH root access. Organizations using eibPort V3 devices prior to version 3.9.1 are affected.
💻 Affected Systems
- BAB TECHNOLOGIE GmbH eibPort V3
📦 What is this software?
Eibport Firmware by Bab Technologie
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain SSH root access to the device, enabling complete system compromise, data theft, and potential lateral movement within the network.
Likely Case
Attackers successfully brute force weak credentials and gain administrative access to the eibPort device, allowing configuration changes and potential SSH access.
If Mitigated
Attack attempts are detected and blocked by rate limiting or account lockout mechanisms, preventing successful authentication.
🎯 Exploit Status
The vulnerability is straightforward to exploit using standard brute force tools against the /webif/SecurityModule endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.1
Vendor Advisory: https://psytester.github.io/CVE-2021-28909
Restart Required: Yes
Instructions:
1. Download eibPort V3 version 3.9.1 or later from the vendor. 2. Backup current configuration. 3. Apply the firmware update through the device's web interface. 4. Restart the device. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to the eibPort web interface to trusted IP addresses only.
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Strong Password Enforcement
allChange the default 'admin' password to a strong, unique password that resists brute force attacks.
🧯 If You Can't Patch
- Implement network segmentation to isolate eibPort devices from critical systems.
- Deploy a web application firewall (WAF) with brute force protection rules in front of the eibPort interface.
🔍 How to Verify
Check if Vulnerable:
Check the device firmware version via the web interface at System > Information. If version is below 3.9.1, the device is vulnerable.Check Version:
curl -s http://DEVICE_IP/webif/ | grep -i versionVerify Fix Applied:
Confirm the firmware version shows 3.9.1 or higher in the web interface. Test that brute force attempts against /webif/SecurityModule are properly rate-limited or blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from single IP addresses
- Successful logins from unusual IP addresses
- SSH access from non-standard accounts
Network Indicators:
- High volume of HTTP POST requests to /webif/SecurityModule
- Traffic patterns consistent with brute force tools
SIEM Query:
source="eibPort" AND (url="/webif/SecurityModule" AND status=401) | stats count by src_ip | where count > 10