CVE-2021-37913 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2021-37913?

CVE-2021-37913 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary system commands on HGiga OAKlouds mobile portal servers by injecting malicious commands into the IPv6 Gateway parameter. It affects systems running vulnerable versions of the OAKlouds mobile portal software. Attackers can gain complete control of affected systems without requiring any authentication.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary system commands on HGiga OAKlouds mobile portal servers by injecting malicious commands into the IPv6 Gateway parameter. It affects systems running vulnerable versions of the OAKlouds mobile portal software. Attackers can gain complete control of affected systems without requiring any authentication.

💻 Affected Systems

Products:

HGiga OAKlouds mobile portal

Versions: Specific vulnerable versions not explicitly stated in references, but all versions before the patch are affected

Operating Systems: Likely Linux-based systems running the OAKlouds portal

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the network interface card setting page specifically. The vulnerability exists in how IPv6 Gateway parameter input is processed.

📦 What is this software?

Oaklouds Portal by Hgiga

View all CVEs affecting Oaklouds Portal →

Oaklouds Portal by Hgiga

View all CVEs affecting Oaklouds Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Remote code execution resulting in system takeover, credential harvesting, and deployment of additional malware payloads.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and strict input validation is implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing mobile portal interfaces.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated command injection, posing significant risk to internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Command injection vulnerabilities are typically easy to exploit. The CVSS 9.8 score indicates trivial exploitation with high impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references, but HGiga has released security updates

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-5092-f88e2-1.html

Restart Required: Yes

Instructions:

1. Contact HGiga for the latest security patches. 2. Apply the patch to all affected OAKlouds mobile portal instances. 3. Restart the portal service. 4. Verify the fix by testing command injection attempts.

🔧 Temporary Workarounds

Network Access Restriction

linux

Block external access to the OAKlouds mobile portal interface using firewall rules

iptables -A INPUT -p tcp --dport [portal_port] -s [trusted_networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [portal_port] -j DROP

Input Validation WAF Rule

all

Implement web application firewall rules to block malicious IPv6 gateway parameter values

🧯 If You Can't Patch

Immediately isolate affected systems from internet access and restrict to internal trusted networks only
Implement strict network segmentation and monitor all traffic to/from OAKlouds portal systems

🔍 How to Verify

Check if Vulnerable:

Test by attempting command injection in the IPv6 Gateway parameter field (e.g., using payloads like '; whoami' or '| id'). Only perform in controlled test environments.

Check Version:

Check OAKlouds portal version through administrative interface or contact HGiga support for version identification

Verify Fix Applied:

After patching, attempt the same command injection tests and verify they are properly rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed login attempts followed by successful access
Suspicious process creation from web server user

Network Indicators:

Unusual outbound connections from OAKlouds portal server
Traffic to known malicious IPs or domains
Unexpected SSH/RDP connections originating from portal server

SIEM Query:

source="oaklouds-logs" AND (message="*IPv6*" OR message="*gateway*") AND (message="*;*" OR message="*|*" OR message="*`*")

📊 Metadata

CVE ID: CVE-2021-37913

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

https://www.twcert.org.tw/tw/cp-132-5092-f88e2-1.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-5092-f88e2-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37913, you might also want to check these: