Login Sign Up

CVE-2021-28911

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

Unauthenticated attackers can access the /tmp directory in BAB TECHNOLOGIE GmbH eibPort V3 devices prior to version 3.9.1, exposing sensitive data like device serial numbers. This information enables brute-force attacks against the BMX interface to calculate login credentials, potentially leading to SSH root access. This affects all eibPort V3 installations running versions before 3.9.1.

💻 Affected Systems

Products:
  • BAB TECHNOLOGIE GmbH eibPort V3
Versions: All versions prior to 3.9.1
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Eibport Firmware by Bab Technologie

View all CVEs affecting Eibport Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain SSH root access to the device, enabling complete system compromise, data theft, and potential lateral movement within the network.

🟠

Likely Case

Attackers obtain device serial numbers and brute-force BMX interface credentials, gaining administrative access to the device management interface.

🟢

If Mitigated

With proper access controls and network segmentation, attackers cannot reach the vulnerable interface, limiting impact to isolated systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP access to the device and basic scripting for brute-force attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.1

Vendor Advisory: https://psytester.github.io/CVE-2021-28911

Restart Required: Yes

Instructions:

1. Download eibPort V3 version 3.9.1 or later from the vendor. 2. Backup current configuration. 3. Apply the firmware update through the device management interface. 4. Reboot the device. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Network Access

linux

Block all external access to eibPort devices using firewall rules.

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Remove /tmp Directory Access

linux

Change permissions on the /tmp directory to prevent unauthorized access.

chmod 700 /tmp

🧯 If You Can't Patch

  • Isolate eibPort devices on a separate VLAN with strict access controls.
  • Implement network monitoring for unusual access patterns to the device management interface.

🔍 How to Verify

Check if Vulnerable:

Check if accessing http://<device_ip>/tmp returns directory listing or sensitive files.

Check Version:

Check device web interface or use command: cat /etc/version | grep eibPort

Verify Fix Applied:

Verify that accessing /tmp path returns 403 Forbidden or similar error after patching.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts to BMX interface
  • Unauthorized access to /tmp directory in web server logs

Network Indicators:

  • Unusual HTTP requests to /tmp path
  • Brute-force patterns against device management interface

SIEM Query:

source="web_logs" AND (uri="/tmp" OR uri="/tmp/*")

📊 Metadata

CVE ID: CVE-2021-28911
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-307
Published: September 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28911, you might also want to check these:

CVE-2023-1665 9.8

This vulnerability allows attackers to perform unlimited authentication attempts against Twake insta...

Same vulnerability type (CWE-307)
CVE-2020-28212 9.8

This vulnerability allows attackers to perform brute force attacks against the PLC Simulator in EcoS...

Same vulnerability type (CWE-307)
CVE-2024-9342 9.8

CVE-2024-9342 allows attackers to perform unlimited brute-force login attempts against Eclipse Glass...

Same vulnerability type (CWE-307)