CVE-2021-38759 – CVE-2021-38759 is a critical authentication vul... (How to Fix)

Q: What is the severity of CVE-2021-38759?

CVE-2021-38759 has a CVSS score of 9.8 (CRITICAL). CVE-2021-38759 is a critical authentication vulnerability in Raspberry Pi OS where the default 'pi' user account has a known default password ('raspberry'). Attackers who can access the system can gain administrator privileges if the password hasn't been changed. This affects all Raspberry Pi OS installations through version 5.10 that haven't modified the default credentials.

📋 TL;DR

CVE-2021-38759 is a critical authentication vulnerability in Raspberry Pi OS where the default 'pi' user account has a known default password ('raspberry'). Attackers who can access the system can gain administrator privileges if the password hasn't been changed. This affects all Raspberry Pi OS installations through version 5.10 that haven't modified the default credentials.

💻 Affected Systems

Products:

Raspberry Pi OS

Versions: Through 5.10

Operating Systems: Raspberry Pi OS (formerly Raspbian)

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable if the default 'pi' user account exists with the default password 'raspberry'. Systems that have changed the password or removed the account are not vulnerable.

📦 What is this software?

Raspberry Pi Os Lite by Raspberrypi

View all CVEs affecting Raspberry Pi Os Lite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root/administrator access, allowing attackers to install malware, steal data, pivot to other systems, or use the device for botnet activities.

🟠

Likely Case

Unauthorized access leading to data theft, system modification, or use of the device for cryptocurrency mining or DDoS attacks.

🟢

If Mitigated

No impact if default password has been changed or if the 'pi' user account has been removed.

🌐 Internet-Facing: HIGH - Any Raspberry Pi exposed to the internet with default credentials can be easily compromised by automated scanning tools.

🏢 Internal Only: MEDIUM - Internal attackers or malware that reaches the internal network could exploit this, but requires network access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply need to attempt SSH or console login with username 'pi' and password 'raspberry'. Automated tools and botnets actively scan for this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Raspberry Pi OS versions after 5.10 (specifically, Bullseye release and later)

Vendor Advisory: https://www.raspberrypi.com/documentation/computers/configuration.html#change-the-default-password

Restart Required: No

Instructions:

1. Update Raspberry Pi OS to Bullseye or later version. 2. During first boot of newer versions, you will be forced to change the default password. 3. For existing installations, manually change the password using 'passwd' command.

🔧 Temporary Workarounds

Change Default Password

linux

Change the password for the 'pi' user account to a strong, unique password

sudo passwd pi

Disable or Remove pi Account

linux

Create a new user account with sudo privileges and disable or remove the default pi account

sudo adduser newusername
sudo usermod -aG sudo newusername
sudo deluser pi

🧯 If You Can't Patch

Immediately change the default password for the 'pi' user account using 'sudo passwd pi'
Implement network segmentation to isolate Raspberry Pi devices from untrusted networks
Disable SSH if not needed, or restrict SSH access to specific IP addresses using firewall rules

🔍 How to Verify

Check if Vulnerable:

Attempt to SSH or login locally with username 'pi' and password 'raspberry'. If login succeeds, the system is vulnerable.

Check Version:

cat /etc/os-release | grep VERSION_ID

Verify Fix Applied:

Attempt to login with the old credentials - it should fail. Verify you can login with the new credentials.

📡 Detection & Monitoring

Log Indicators:

Failed SSH login attempts for user 'pi' followed by successful login
Multiple authentication failures from same source IP
Successful logins for user 'pi' from unexpected locations

Network Indicators:

SSH brute force attempts on port 22
Traffic patterns inconsistent with normal usage
Outbound connections to known malicious IPs after successful login

SIEM Query:

source="auth.log" ("Failed password for pi" OR "Accepted password for pi") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-38759

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1188

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165211/Raspberry-Pi-5.10-Default-Credentials.html Third Party Advisory,VDB Entry
https://arstechnica.com/gadgets/2022/04/raspberry-pi-os-axes-longstanding-default-user-account-in-the-name-of-security/ Third Party Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-43968 Third Party Advisory
https://www.raspberrypi.com/documentation/computers/configuration.html#change-the-default-password Vendor Advisory
http://packetstormsecurity.com/files/165211/Raspberry-Pi-5.10-Default-Credentials.html Third Party Advisory,VDB Entry
https://arstechnica.com/gadgets/2022/04/raspberry-pi-os-axes-longstanding-default-user-account-in-the-name-of-security/ Third Party Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-43968 Third Party Advisory
https://www.raspberrypi.com/documentation/computers/configuration.html#change-the-default-password Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38759, you might also want to check these: