CVE-2021-38167
📋 TL;DR
CVE-2021-38167 is a SQL injection vulnerability in Roxy-WI's check_login function that allows unauthenticated attackers to extract valid UUIDs and bypass authentication. This affects Roxy-WI installations up to version 5.2.2.0. Attackers can gain unauthorized access to administrative functions without valid credentials.
💻 Affected Systems
- Roxy-WI
📦 What is this software?
Roxy Wi by Roxy Wi
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access, extract sensitive data, execute arbitrary commands, and pivot to other systems.
Likely Case
Unauthorized administrative access leading to configuration changes, data exfiltration, and potential privilege escalation within the Roxy-WI environment.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring that detects SQL injection attempts.
🎯 Exploit Status
SQL injection in authentication endpoint makes exploitation straightforward. Public GitHub issues demonstrate the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.2.2.0
Vendor Advisory: https://github.com/hap-wi/roxy-wi/issues/285
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Roxy-WI to latest version. 3. Restart Roxy-WI service. 4. Verify authentication works properly.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to Roxy-WI web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Web Application Firewall
allImplement WAF rules to block SQL injection patterns
ModSecurity rules: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Roxy-WI from critical systems
- Enable detailed logging and monitoring for SQL injection attempts and failed logins
🔍 How to Verify
Check if Vulnerable:
Check Roxy-WI version: grep 'version' /path/to/roxy-wi/config or check web interface footerCheck Version:
grep -r 'version' /opt/roxy-wi/ 2>/dev/null || echo 'Check web interface'Verify Fix Applied:
Verify version is above 5.2.2.0 and test authentication with invalid credentials to ensure proper validation📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple failed login attempts followed by successful login from same IP
- Authentication bypass patterns in access logs
Network Indicators:
- SQL injection patterns in HTTP POST requests to login endpoint
- Unusual authentication traffic patterns
SIEM Query:
source="roxy-wi.log" AND ("sql" OR "union" OR "select" OR "' OR '1'='1")