CVE-2021-33393
📋 TL;DR
This vulnerability in IPFire firewall distributions allows local privilege escalation through insecure file permissions. An unprivileged user could replace the backup.pl script with malicious code that executes with root privileges when the backup system runs. This affects IPFire 2.25 installations with core155.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level remote code execution, allowing attacker to install persistent backdoors, exfiltrate data, or pivot to other network segments.
Likely Case
Local privilege escalation leading to unauthorized administrative access, configuration changes, or installation of additional malicious tools.
If Mitigated
Limited impact with proper file permission monitoring and least privilege principles in place.
🎯 Exploit Status
Exploitation requires local access to the system. Public proof-of-concept code exists demonstrating the privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in commit 6769d909306d7bdc43d64598872126fcf1b217f6 and later versions
Vendor Advisory: https://github.com/ipfire/ipfire-2.x/commit/6769d909306d7bdc43d64598872126fcf1b217f6
Restart Required: No
Instructions:
1. Update IPFire to latest version. 2. Apply security patches from IPFire repository. 3. Verify file permissions are corrected.
🔧 Temporary Workarounds
Fix file permissions manually
linuxManually set correct ownership and permissions on backup.pl script
chown root:root /var/ipfire/backup/bin/backup.pl
chmod 755 /var/ipfire/backup/bin/backup.pl
Disable backup functionality
linuxTemporarily disable the backup system if not needed
chmod 000 /var/ipfire/backup/bin/backup.pl
🧯 If You Can't Patch
- Implement strict file integrity monitoring on /var/ipfire/backup/bin/backup.pl
- Restrict local user access and implement least privilege principles
🔍 How to Verify
Check if Vulnerable:
Check ownership of backup.pl: ls -la /var/ipfire/backup/bin/backup.pl | grep -v 'root root' indicates vulnerabilityCheck Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify file ownership: ls -la /var/ipfire/backup/bin/backup.pl should show 'root root'📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications in /var/ipfire/backup/bin/
- Unexpected backup script executions
- Permission change alerts
Network Indicators:
- Unusual outbound connections from IPFire system after backup runs
SIEM Query:
file_path:"/var/ipfire/backup/bin/backup.pl" AND (event_type:"file_modification" OR event_type:"permission_change")🔗 References
- http://packetstormsecurity.com/files/163158/IPFire-2.25-Remote-Code-Execution.html
- https://github.com/MucahitSaratar/ipfire-2-25-auth-rce
- https://github.com/ipfire/ipfire-2.x/commit/6769d909306d7bdc43d64598872126fcf1b217f6
- https://github.com/ipfire/ipfire-2.x/commits/master?since=2021-05-17&until=2021-05-17
- http://packetstormsecurity.com/files/163158/IPFire-2.25-Remote-Code-Execution.html
- https://github.com/MucahitSaratar/ipfire-2-25-auth-rce
- https://github.com/ipfire/ipfire-2.x/commit/6769d909306d7bdc43d64598872126fcf1b217f6
- https://github.com/ipfire/ipfire-2.x/commits/master?since=2021-05-17&until=2021-05-17
