CVE-2021-42370
📋 TL;DR
This vulnerability in XoruX LPAR2RRD and STOR2RRD exposes cleartext passwords in HTML password input fields when viewing device properties. Attackers with access to the web interface can view stored passwords by configuring their browser to display password fields. Organizations using affected versions of these monitoring tools are at risk.
💻 Affected Systems
- XoruX LPAR2RRD
- XoruX STOR2RRD
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative credentials, leading to complete compromise of monitored systems, data exfiltration, or lateral movement across infrastructure.
Likely Case
Unauthorized users with web interface access extract passwords for monitored devices, potentially gaining access to storage arrays, servers, or network equipment.
If Mitigated
With proper network segmentation and access controls, impact is limited to credential exposure without direct access to critical systems.
🎯 Exploit Status
Exploitation requires web interface access but is trivial once authenticated; involves browser configuration to reveal password fields.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.30 and later
Vendor Advisory: https://lpar2rrd.com/note730.php
Restart Required: Yes
Instructions:
1. Download version 7.30 or later from vendor website. 2. Backup current configuration. 3. Stop the application service. 4. Install the update. 5. Restart the application service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to the LPAR2RRD/STOR2RRD web interface to only trusted users and networks using firewall rules or network segmentation.
Implement Strong Authentication
allEnforce multi-factor authentication for web interface access and use strong, unique passwords for application accounts.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the monitoring system from critical infrastructure
- Regularly rotate passwords stored in the application and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check application version via web interface or configuration files; versions below 7.30 are vulnerable.Check Version:
Check web interface footer or configuration files for version numberVerify Fix Applied:
After upgrading to 7.30+, verify that password fields in device properties no longer display cleartext when browser is configured to show password fields.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts
- Unusual access patterns to device properties pages
- Configuration changes to password fields
Network Indicators:
- Unusual traffic to web interface from unexpected sources
- HTTP requests to device properties endpoints
SIEM Query:
source="lpar2rrd" OR source="stor2rrd" AND (event="login_failure" OR url="*device_properties*")🔗 References
- https://github.com/orangecertcc/security-research/security/advisories/GHSA-f3qp-4xqq-2wjx
- https://lpar2rrd.com/note730.php
- https://stor2rrd.com/note730.php
- https://github.com/orangecertcc/security-research/security/advisories/GHSA-f3qp-4xqq-2wjx
- https://lpar2rrd.com/note730.php
- https://stor2rrd.com/note730.php
