CVE-2021-38557
📋 TL;DR
CVE-2021-38557 allows attackers to execute arbitrary commands as root on RaspAP 2.6.6 installations. The vulnerability exists because the www-data user can both execute a specific script with sudo privileges and overwrite that script with malicious content. This affects all RaspAP 2.6.6 installations with default sudoers configuration.
💻 Affected Systems
- RaspAP Web GUI
📦 What is this software?
Raspap by Raspap
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level command execution, allowing installation of persistent backdoors, data theft, or system destruction.
Likely Case
Attackers gain root shell access to the Raspberry Pi device, enabling them to pivot to other network devices or use the device for malicious purposes.
If Mitigated
Limited impact with proper file permissions and sudoers restrictions in place.
🎯 Exploit Status
Exploitation requires access to the www-data user account, which typically requires web application compromise first.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.7 and later
Vendor Advisory: https://github.com/RaspAP/raspap-webgui
Restart Required: No
Instructions:
1. Update RaspAP to version 2.6.7 or later using: git pull origin master
2. Run the installer again: sudo ./install.sh
3. Verify sudoers file permissions are corrected.
🔧 Temporary Workarounds
Restrict sudoers permissions
linuxModify sudoers to prevent www-data from overwriting the enablelog.sh script
sudo visudo -f /etc/sudoers.d/raspap
Remove or modify the line: www-data ALL=(ALL) NOPASSWD: /etc/raspap/hostapd/enablelog.sh
Set proper file permissions
linuxMake enablelog.sh immutable or restrict write permissions
sudo chattr +i /etc/raspap/hostapd/enablelog.sh
sudo chown root:root /etc/raspap/hostapd/enablelog.sh
sudo chmod 755 /etc/raspap/hostapd/enablelog.sh
🧯 If You Can't Patch
- Remove the vulnerable sudoers entry completely from /etc/sudoers.d/raspap
- Isolate the affected device from critical networks and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if www-data can execute enablelog.sh without password: sudo -l -U www-data | grep enablelog.shCheck Version:
Check RaspAP version in web interface or run: cat /etc/raspap/raspap.versionVerify Fix Applied:
Verify www-data cannot execute the script: sudo -u www-data sudo /etc/raspap/hostapd/enablelog.sh (should prompt for password or be denied)📡 Detection & Monitoring
Log Indicators:
- sudo logs showing www-data executing enablelog.sh
- Unauthorized modifications to /etc/raspap/hostapd/enablelog.sh
- Unexpected root-level processes spawned by www-data
Network Indicators:
- Unusual outbound connections from the Raspberry Pi
- SSH or other services running on non-standard ports
SIEM Query:
process.name="sudo" AND process.args="enablelog.sh" AND user.name="www-data"🔗 References
- https://github.com/RaspAP/raspap-webgui
- https://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoers
- https://zerosecuritypenetrationtesting.com/?page_id=306
- https://github.com/RaspAP/raspap-webgui
- https://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoers
- https://zerosecuritypenetrationtesting.com/?page_id=306
