Login Sign Up

CVE-2021-37915

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers with access to the limited configuration shell on Grandstream HT801 Analog Telephone Adaptors to set a malicious gdb_debug_server variable. After device reboot, this causes the device to download and execute arbitrary scripts from attacker-controlled hosts, potentially leading to complete device compromise. All HT801 devices running firmware versions before 1.0.29.8 are affected.

💻 Affected Systems

Products:
  • Grandstream HT801 Analog Telephone Adaptor
Versions: All versions before 1.0.29.8
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the limited configuration shell, which may be accessible via physical access or through other vulnerabilities.

📦 What is this software?

Ht801 Firmware by Grandstream

View all CVEs affecting Ht801 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing persistent backdoor installation, credential theft, network pivoting, and use in botnets or as a foothold for further attacks.

🟠

Likely Case

Remote code execution leading to device compromise, unauthorized configuration changes, and potential use as a network pivot point.

🟢

If Mitigated

Limited impact if devices are isolated from untrusted networks and shell access is restricted, though vulnerability remains present.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly exploited if shell access is obtained, leading to remote compromise.
🏢 Internal Only: MEDIUM - Requires initial access to configuration shell, but once exploited can spread within internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to the configuration shell first, which may be obtained through other means or physical access. Public exploit details exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.29.8

Vendor Advisory: http://firmware.grandstream.com/BETA/Release_Note_HT80x_1.0.29.8.pdf

Restart Required: Yes

Instructions:

1. Download firmware version 1.0.29.8 from Grandstream's official website. 2. Log into the HT801 web interface. 3. Navigate to Maintenance > Upgrade. 4. Upload the firmware file. 5. Wait for upgrade to complete and device to reboot.

🔧 Temporary Workarounds

Restrict Configuration Shell Access

all

Limit physical and network access to the device's configuration interface to prevent attackers from setting the malicious variable.

Network Segmentation

all

Isolate HT801 devices in separate VLANs or network segments to limit potential lateral movement if compromised.

🧯 If You Can't Patch

  • Isolate affected devices from internet and untrusted networks
  • Implement strict access controls to prevent unauthorized configuration shell access

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: Login > Status > System Status > Firmware Version. If version is below 1.0.29.8, device is vulnerable.

Check Version:

Via web interface: Check Status > System Status > Firmware Version

Verify Fix Applied:

After patching, verify firmware version shows 1.0.29.8 or higher in the web interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual configuration changes
  • Unexpected reboots
  • Network connections to unknown external hosts

Network Indicators:

  • HT801 devices downloading files from unusual external IPs
  • Unexpected outbound connections from HT801 devices

SIEM Query:

device.vendor:Grandstream AND device.model:HT801 AND (event.action:configuration_change OR network.destination.ip:external)

📊 Metadata

CVE ID: CVE-2021-37915
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: October 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON