Login Sign Up

CVE-2021-3346

9.8 CRITICAL
Cross-Site Scripting Authentication Bypass

📋 TL;DR

CVE-2021-3346 is a cross-site scripting (XSS) vulnerability in Foris web interface versions before 101.1.1, used in Turris OS routers. It allows attackers to inject malicious scripts into the login page, potentially compromising user sessions and credentials. All Turris OS users with vulnerable Foris versions are affected.

💻 Affected Systems

Products:
  • Foris web interface
  • Turris OS
Versions: Foris versions before 101.1.1
Operating Systems: Turris OS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Turris routers with Foris web interface enabled (default configuration).

📦 What is this software?

Foris by Nic

View all CVEs affecting Foris →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via session hijacking, credential theft, and potential remote code execution through chained attacks.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized access to router administration interface.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH - Foris web interface is typically exposed to the internet on Turris routers.
🏢 Internal Only: MEDIUM - Could still be exploited by internal attackers or malware.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity, especially in login pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Foris 101.1.1 and later

Vendor Advisory: https://gitlab.nic.cz/turris/foris/foris/-/issues/201

Restart Required: Yes

Instructions:

1. Update Turris OS to latest version via web interface or command line. 2. Update Foris package to 101.1.1 or later. 3. Restart the router or Foris service.

🔧 Temporary Workarounds

Disable Foris web interface

linux

Temporarily disable the vulnerable web interface until patching is possible

systemctl stop foris
systemctl disable foris

Use firewall restrictions

linux

Restrict access to Foris web interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with XSS protection rules
  • Monitor for suspicious login attempts and XSS payloads in web logs

🔍 How to Verify

Check if Vulnerable:

Check Foris version: opkg list-installed | grep foris

Check Version:

opkg list-installed | grep foris

Verify Fix Applied:

Verify Foris version is 101.1.1 or later: opkg list-installed | grep foris

📡 Detection & Monitoring

Log Indicators:

  • Unusual login attempts
  • XSS payload patterns in web server logs
  • Multiple failed login attempts from same source

Network Indicators:

  • Suspicious HTTP requests containing script tags or JavaScript code
  • Unusual traffic to router web interface

SIEM Query:

source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND dest_port IN (80, 443)

📊 Metadata

CVE ID: CVE-2021-3346
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: January 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON