CVE-2021-36705 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-36705?

CVE-2021-36705 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary commands on ProLink PRC2402M routers by injecting malicious commands into the TR069_local_port parameter. Attackers can gain full control of affected devices, potentially compromising network security. All users running firmware V1.0.18 or older are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on ProLink PRC2402M routers by injecting malicious commands into the TR069_local_port parameter. Attackers can gain full control of affected devices, potentially compromising network security. All users running firmware V1.0.18 or older are affected.

💻 Affected Systems

Products:

ProLink PRC2402M

Versions: V1.0.18 and older

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration; no special settings required.

📦 What is this software?

Prc2402m Firmware by Prolink

View all CVEs affecting Prc2402m Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing traffic interception, DNS manipulation, credential theft, and use as attack platform.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted access to adm.cgi endpoint.

🌐 Internet-Facing: HIGH - Directly exploitable if device's web interface is exposed to internet.

🏢 Internal Only: HIGH - Exploitable by any internal attacker with network access to device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple curl command injection demonstrated in public disclosure; trivial to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider replacing device or implementing strict network controls.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected routers in separate VLAN with strict firewall rules blocking access to adm.cgi endpoint.

Access Restriction

linux

Configure firewall to block external access to router web interface (port 80/443).

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Replace affected devices with supported models from different vendors
Implement strict network monitoring and anomaly detection for router traffic

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at http://router-ip/status.cgi or via SSH if available.

Check Version:

curl -s http://router-ip/status.cgi | grep Firmware

Verify Fix Applied:

No fix available; verify device replacement or workaround implementation.

📡 Detection & Monitoring

Log Indicators:

Unusual commands in system logs
Multiple failed login attempts to adm.cgi
Suspicious process execution

Network Indicators:

Unexpected outbound connections from router
Traffic to unusual ports
DNS queries to malicious domains

SIEM Query:

source="router-logs" AND (uri="/cgi-bin/adm.cgi" AND params="TR069_local_port=*")

📊 Metadata

CVE ID: CVE-2021-36705

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 6, 2021

Last Updated: November 21, 2024

🔗 References

https://www.ayrx.me/prolink-prc2402m-multiple-vulnerabilities/#tr069-command-injection Exploit,Third Party Advisory
https://www.ayrx.me/prolink-prc2402m-multiple-vulnerabilities/#tr069-command-injection Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36705, you might also want to check these: