CVE-2021-33357 – CVE-2021-33357 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2021-33357?

CVE-2021-33357 has a CVSS score of 9.8 (CRITICAL). CVE-2021-33357 is a critical command injection vulnerability in RaspAP web interface that allows unauthenticated attackers to execute arbitrary operating system commands on affected systems. The vulnerability exists in the networking configuration endpoint where user input is not properly sanitized. This affects all RaspAP installations running versions 2.6 through 2.6.5.

📋 TL;DR

CVE-2021-33357 is a critical command injection vulnerability in RaspAP web interface that allows unauthenticated attackers to execute arbitrary operating system commands on affected systems. The vulnerability exists in the networking configuration endpoint where user input is not properly sanitized. This affects all RaspAP installations running versions 2.6 through 2.6.5.

💻 Affected Systems

Products:

RaspAP (Raspberry Pi Access Point web interface)

Versions: 2.6 to 2.6.5

Operating Systems: Raspberry Pi OS (any version running RaspAP)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerable endpoint is part of the standard web interface.

📦 What is this software?

Raspap by Raspap

View all CVEs affecting Raspap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install persistent backdoors, steal sensitive data, pivot to other systems, or use the device for cryptocurrency mining or botnet participation.

🟠

Likely Case

Attacker gains shell access to the Raspberry Pi, can modify network configurations, install malware, or use the device as a foothold for further attacks.

🟢

If Mitigated

If properly patched or workarounds applied, the vulnerability is eliminated and no command execution is possible.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface, making internet-facing installations extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internally accessible installations are vulnerable to any attacker who can reach the web interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. The vulnerability requires no authentication and can be exploited with simple HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.6 and later

Vendor Advisory: https://github.com/RaspAP/raspap-webgui/releases

Restart Required: No

Instructions:

1. Update RaspAP using the official update method: 'sudo apt update && sudo apt upgrade raspap-webgui' 2. Alternatively, manually update from GitHub: 'cd /var/www/html/raspap && sudo git pull' 3. Verify the version is 2.6.6 or higher

🔧 Temporary Workarounds

Disable vulnerable endpoint

linux

Temporarily disable or restrict access to the vulnerable PHP file

sudo mv /var/www/html/raspap/ajax/networking/get_netcfg.php /var/www/html/raspap/ajax/networking/get_netcfg.php.disabled

Web server access control

linux

Configure web server to block access to the vulnerable endpoint

Add to Apache: '<Location "/ajax/networking/get_netcfg.php">
    Order deny,allow
    Deny from all
</Location>'
Add to Nginx: 'location = /ajax/networking/get_netcfg.php { return 403; }'

🧯 If You Can't Patch

Immediately restrict network access to the RaspAP web interface using firewall rules
Implement network segmentation to isolate affected devices from critical systems

🔍 How to Verify

Check if Vulnerable:

Check if file /var/www/html/raspap/ajax/networking/get_netcfg.php exists and contains unsanitized shell_exec calls with $_GET['iface'] parameter

Check Version:

grep -r "RAP_VERSION" /var/www/html/raspap/includes/constants.php | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Verify the file has been updated to version 2.6.6+ and contains proper input validation/sanitization

📡 Detection & Monitoring

Log Indicators:

Web server logs showing requests to /ajax/networking/get_netcfg.php with special characters in parameters
System logs showing unexpected command execution or process creation

Network Indicators:

HTTP requests containing semicolons or other shell metacharacters in the 'iface' parameter
Outbound connections from Raspberry Pi to suspicious IPs

SIEM Query:

source="web_access.log" AND uri_path="/ajax/networking/get_netcfg.php" AND (query_string="*;*" OR query_string="*|*" OR query_string="*`*")

📊 Metadata

CVE ID: CVE-2021-33357

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: June 9, 2021

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf Third Party Advisory
https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_netcfg.php Exploit,Third Party Advisory
https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf Third Party Advisory
https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_netcfg.php Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33357, you might also want to check these: