CVE-2021-44124 – This directory traversal vulnerability in Hiby ... (How to Fix)

Q: What is the severity of CVE-2021-44124?

CVE-2021-44124 has a CVSS score of 7.5 (HIGH). This directory traversal vulnerability in Hiby Music Hiby OS allows attackers to access arbitrary files on the device's filesystem via the HTTP server. Attackers can navigate outside the intended SD card directory to read sensitive system files. This affects users of Hiby R3 Pro music players running vulnerable firmware versions.

📋 TL;DR

This directory traversal vulnerability in Hiby Music Hiby OS allows attackers to access arbitrary files on the device's filesystem via the HTTP server. Attackers can navigate outside the intended SD card directory to read sensitive system files. This affects users of Hiby R3 Pro music players running vulnerable firmware versions.

💻 Affected Systems

Products:

Hiby Music Hiby OS R3 Pro

Versions: 1.5 and 1.6

Operating Systems: Hiby OS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default HTTP server configuration that serves SD card content.

📦 What is this software?

R3 Pro Firmware by Hiby

View all CVEs affecting R3 Pro Firmware →

R3 Pro Firmware by Hiby

View all CVEs affecting R3 Pro Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of device confidentiality - attackers can read all files including configuration files, credentials, and user data stored on the device.

🟠

Likely Case

Unauthorized access to sensitive files stored on the SD card and device filesystem, potentially exposing personal data and device configuration.

🟢

If Mitigated

Limited to accessing only intended SD card directories with proper input validation and path sanitization.

🌐 Internet-Facing: MEDIUM - The HTTP server is typically accessible on local networks, but could be exposed if devices are connected to untrusted networks or port forwarding is configured.

🏢 Internal Only: HIGH - On local networks, attackers can easily exploit this vulnerability to access sensitive files without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the device's HTTP server (port 80 by default). Attackers can use simple HTTP requests with directory traversal sequences like '../' to access files outside the intended directory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Check Hiby's official website or firmware updates for potential fixes. Consider workarounds if no patch exists.

🔧 Temporary Workarounds

Disable HTTP Server

all

Turn off the HTTP server functionality that serves SD card content

Navigate to device settings > Network > HTTP Server > Disable

Network Segmentation

all

Isolate the device on a separate VLAN or network segment to limit attack surface

🧯 If You Can't Patch

Disconnect device from untrusted networks and only use on isolated, trusted networks
Regularly monitor device logs for unusual HTTP requests containing directory traversal patterns

🔍 How to Verify

Check if Vulnerable:

Test by accessing the device's HTTP server and attempting to navigate outside the SD card directory using '../' sequences in URLs

Check Version:

Check firmware version in device settings: Settings > System > About > Firmware Version

Verify Fix Applied:

Verify that directory traversal attempts are blocked and return appropriate error responses instead of file contents

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' sequences
Access to files outside expected SD card paths
Failed file access attempts with traversal patterns

Network Indicators:

HTTP requests to device with directory traversal payloads
Unusual file access patterns from external IPs

SIEM Query:

http.url:*../* AND destination.port:80 AND device.vendor:"Hiby"

📊 Metadata

CVE ID: CVE-2021-44124

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: March 28, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/feric/Findings/tree/main/Hiby/Web%20Server/Path%20Traversal Exploit,Third Party Advisory
https://github.com/vext01/hiby-issues/issues/9#issuecomment-907891626 Exploit,Third Party Advisory
https://github.com/feric/Findings/tree/main/Hiby/Web%20Server/Path%20Traversal Exploit,Third Party Advisory
https://github.com/vext01/hiby-issues/issues/9#issuecomment-907891626 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44124, you might also want to check these: