CVE-2021-38306 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-38306?

CVE-2021-38306 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands with root privileges on LG N1T1*** 10124 Network Attached Storage (NAS) devices via command injection in a specific PHP script. It affects users of these LG NAS devices, enabling complete system compromise. Attackers can exploit this remotely without any credentials.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands with root privileges on LG N1T1*** 10124 Network Attached Storage (NAS) devices via command injection in a specific PHP script. It affects users of these LG NAS devices, enabling complete system compromise. Attackers can exploit this remotely without any credentials.

💻 Affected Systems

Products:

LG N1T1*** 10124 Network Attached Storage

Versions: Specific versions unclear from references; likely all versions prior to a patch, but exact range not specified by vendor.

Operating Systems: Embedded Linux-based OS on the NAS device

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in a default web interface component (checkInstall.php), making standard configurations vulnerable without additional setup.

📦 What is this software?

N1t1 Firmware by Lg

View all CVEs affecting N1t1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root-level compromise of the NAS device, allowing data theft, destruction, ransomware deployment, or use as a pivot point into internal networks.

🟠

Likely Case

Unauthorized access leading to data exfiltration, installation of persistent backdoors, or disruption of storage services.

🟢

If Mitigated

Limited impact if the device is isolated behind strict network controls, but root access still poses significant risk if exploited.

🌐 Internet-Facing: HIGH, as the exploit is unauthenticated and can be triggered remotely over the network, making internet-exposed devices immediate targets.

🏢 Internal Only: HIGH, because even internally, unauthenticated attackers on the local network can exploit it to gain root access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves simple HTTP requests to inject commands via the destServer parameter, with public proof-of-concept details available online.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No specific advisory URL found in references; check LG support pages for updates.

Restart Required: No

Instructions:

Check LG's official support website for firmware updates. If available, download and apply the latest firmware via the device's web interface or management tools.

🔧 Temporary Workarounds

Block Access to Vulnerable Endpoint

linux

Use network firewall rules or web application firewall (WAF) to block requests to /en/ajp/plugins/access.ssh/checkInstall.php.

iptables -A INPUT -p tcp --dport 80 -m string --string "/en/ajp/plugins/access.ssh/checkInstall.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/en/ajp/plugins/access.ssh/checkInstall.php" --algo bm -j DROP

Disable SSH Plugin if Unused

all

Remove or disable the SSH plugin via the device's web interface to reduce attack surface.

🧯 If You Can't Patch

Isolate the NAS device on a separate VLAN with strict network access controls, allowing only necessary traffic from trusted sources.
Implement intrusion detection systems (IDS) to monitor for exploit attempts and anomalous command execution patterns.

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://<NAS_IP>/en/ajp/plugins/access.ssh/checkInstall.php?destServer=;id; and check if command output (e.g., uid=0) is returned in the response.

Check Version:

Check firmware version via the device's web interface under System Settings or use SSH if enabled: cat /etc/version or similar.

Verify Fix Applied:

After applying mitigations, retest the vulnerable endpoint to ensure no command execution occurs and access is blocked or returns error.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST/GET requests to checkInstall.php with shell metacharacters (e.g., ;, |, &) in parameters.
Log entries showing command execution or root access from unexpected sources.

Network Indicators:

HTTP traffic to /en/ajp/plugins/access.ssh/checkInstall.php containing suspicious strings in destServer parameter.
Outbound connections from the NAS to unknown IPs post-exploit.

SIEM Query:

source="nas_logs" AND url="/en/ajp/plugins/access.ssh/checkInstall.php" AND (destServer="*;*" OR destServer="*|*" OR destServer="*&*")

📊 Metadata

CVE ID: CVE-2021-38306

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 24, 2021

Last Updated: November 21, 2024

🔗 References

https://www.lg.com/uk/support/product/lg-N1T1DD1 Product,Vendor Advisory
https://www.lg.com/us/burners-drives/lg-N1T1-network-attached-storage Product,Vendor Advisory
https://zerosecuritypenetrationtesting.com/?page_id=306 Exploit,Third Party Advisory,URL Repurposed
https://www.lg.com/uk/support/product/lg-N1T1DD1 Product,Vendor Advisory
https://www.lg.com/us/burners-drives/lg-N1T1-network-attached-storage Product,Vendor Advisory
https://zerosecuritypenetrationtesting.com/?page_id=306 Exploit,Third Party Advisory,URL Repurposed

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38306, you might also want to check these: