CVE-2021-42371 – CVE-2021-42371 is a critical vulnerability in X... (How to Fix)

Q: What is the severity of CVE-2021-42371?

CVE-2021-42371 has a CVSS score of 9.8 (CRITICAL). CVE-2021-42371 is a critical vulnerability in XoruX LPAR2RRD and STOR2RRD monitoring software where a hardcoded 'lpar2rrd' system account exists with known credentials. This allows attackers to gain unauthorized access to affected systems. Organizations using these products before version 7.30 are affected.

📋 TL;DR

CVE-2021-42371 is a critical vulnerability in XoruX LPAR2RRD and STOR2RRD monitoring software where a hardcoded 'lpar2rrd' system account exists with known credentials. This allows attackers to gain unauthorized access to affected systems. Organizations using these products before version 7.30 are affected.

💻 Affected Systems

Products:

XoruX LPAR2RRD
XoruX STOR2RRD

Versions: All versions before 7.30

Operating Systems: Linux, AIX, Other Unix-like systems where these products run

Default Config Vulnerable: ⚠️ Yes

Notes: The hardcoded account exists in default installations and cannot be disabled without patching.

📦 What is this software?

Lpar2rrd by Xorux

View all CVEs affecting Lpar2rrd →

Stor2rrd by Xorux

View all CVEs affecting Stor2rrd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, access sensitive monitoring data, pivot to other systems, and potentially disrupt critical infrastructure monitoring.

🟠

Likely Case

Unauthorized access to monitoring systems leading to data theft, configuration changes, and potential privilege escalation within the monitoring environment.

🟢

If Mitigated

Limited impact if network segmentation prevents access to monitoring interfaces and strong authentication controls are in place.

🌐 Internet-Facing: HIGH - If monitoring interfaces are exposed to the internet, attackers can easily exploit this using known credentials.

🏢 Internal Only: HIGH - Even internally, any user with network access to the monitoring interface can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the hardcoded credentials and network access to the monitoring interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.30

Vendor Advisory: https://lpar2rrd.com/note730.php

Restart Required: Yes

Instructions:

1. Download version 7.30 or later from the vendor website. 2. Stop the LPAR2RRD/STOR2RRD services. 3. Install the updated version following vendor instructions. 4. Restart services. 5. Verify the hardcoded account no longer exists.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to LPAR2RRD/STOR2RRD interfaces using firewall rules

iptables -A INPUT -p tcp --dport [LPAR2RRD_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [LPAR2RRD_PORT] -j DROP

Authentication Layer

all

Implement additional authentication layer (reverse proxy with authentication) in front of the monitoring interface

🧯 If You Can't Patch

Implement strict network segmentation to isolate monitoring systems from untrusted networks
Monitor authentication logs for attempts to use the 'lpar2rrd' account and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check if version is below 7.30 using the version check command, and attempt to authenticate with username 'lpar2rrd' and the known hardcoded password

Check Version:

grep 'version' /opt/lpar2rrd/etc/version.txt || grep 'version' /opt/stor2rrd/etc/version.txt

Verify Fix Applied:

After patching to 7.30+, verify that authentication with 'lpar2rrd' credentials fails and check that version is 7.30 or higher

📡 Detection & Monitoring

Log Indicators:

Authentication attempts with username 'lpar2rrd'
Unusual access patterns to monitoring interfaces
Failed authentication attempts followed by successful logins

Network Indicators:

Unexpected connections to LPAR2RRD/STOR2RRD ports from unauthorized sources
Traffic patterns suggesting credential testing

SIEM Query:

source="*lpar2rrd*" OR source="*stor2rrd*" AND (user="lpar2rrd" OR auth_failure OR auth_success)

📊 Metadata

CVE ID: CVE-2021-42371

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-922

Published: November 8, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/orangecertcc/security-research/security/advisories/GHSA-p2fq-9h5j-x6w5 Third Party Advisory
https://lpar2rrd.com/note730.php Release Notes,Vendor Advisory
https://stor2rrd.com/note730.php Release Notes,Vendor Advisory
https://github.com/orangecertcc/security-research/security/advisories/GHSA-p2fq-9h5j-x6w5 Third Party Advisory
https://lpar2rrd.com/note730.php Release Notes,Vendor Advisory
https://stor2rrd.com/note730.php Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42371, you might also want to check these: