CVE-2021-28913
📋 TL;DR
CVE-2021-28913 allows unauthenticated attackers to retrieve a hard-coded unique string from BAB TECHNOLOGIE GmbH eibPort V3 devices via the /webif/SecurityModule endpoint. This string acts as the root SSH key passphrase, enabling attackers to gain SSH root access as part of an attack chain. Organizations using eibPort V3 devices prior to version 3.9.1 are affected.
💻 Affected Systems
- BAB TECHNOLOGIE GmbH eibPort V3
📦 What is this software?
Eibport Firmware by Bab Technologie
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the eibPort device with root SSH access, allowing attackers to pivot to internal networks, disrupt building automation systems, or deploy persistent malware.
Likely Case
Attackers gain root access to vulnerable devices, enabling them to modify configurations, intercept traffic, or use the device as a foothold for lateral movement.
If Mitigated
Limited impact if devices are isolated from critical networks and SSH access is restricted via network controls.
🎯 Exploit Status
Exploitation is straightforward: retrieve the hard-coded string via HTTP request, then use it as SSH passphrase. Public proof-of-concept scripts exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.1
Vendor Advisory: https://psytester.github.io/CVE-2021-28913
Restart Required: Yes
Instructions:
1. Download eibPort V3 version 3.9.1 or later from the vendor. 2. Follow vendor update procedures to apply the firmware. 3. Restart the device to complete the update.
🔧 Temporary Workarounds
Block web interface access
linuxRestrict network access to the eibPort web interface (port 80/443) using firewalls or network segmentation.
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable SSH root login
linuxModify SSH configuration to prevent root login via password or key-based authentication.
echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
systemctl restart sshd
🧯 If You Can't Patch
- Isolate eibPort devices on a separate VLAN with strict firewall rules blocking all inbound traffic except necessary management protocols.
- Implement network monitoring and intrusion detection to alert on unauthorized access attempts to the /webif/SecurityModule endpoint.
🔍 How to Verify
Check if Vulnerable:
Send an HTTP GET request to http://<eibPort-IP>/webif/SecurityModule; if it returns a JSON response containing a 'eibPortString' field, the device is vulnerable.Check Version:
ssh root@<eibPort-IP> 'cat /etc/version' or check the web interface for version information.Verify Fix Applied:
After patching, the same HTTP request should return an error or no longer expose the eibPortString. Verify the device firmware version is 3.9.1 or higher.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /webif/SecurityModule in web server logs
- Failed or successful SSH root login attempts in auth logs
Network Indicators:
- Unusual HTTP traffic to eibPort devices on port 80/443
- SSH connections from unexpected sources to eibPort devices
SIEM Query:
source="eibPort" AND (url="/webif/SecurityModule" OR event="ssh root login")