CVE-2021-4470
📋 TL;DR
CVE-2021-4470 is a critical pre-authentication remote code execution vulnerability in TG8 Firewall's runphpcmd.php endpoint. Unauthenticated attackers can execute arbitrary operating system commands with root privileges, leading to complete device compromise. All TG8 Firewall deployments with the vulnerable endpoint exposed are affected.
💻 Affected Systems
- TG8 Firewall
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full device takeover with root access, allowing installation of persistent backdoors, data exfiltration, lateral movement to internal networks, and complete firewall rule manipulation.
Likely Case
Attackers gain root shell access to compromise the firewall device, potentially pivoting to internal networks or using it as a foothold for further attacks.
If Mitigated
If properly segmented and access-controlled, impact limited to firewall device itself without lateral movement capabilities.
🎯 Exploit Status
Simple HTTP POST request with command injection in syscmd parameter. Multiple public advisories include proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specifically documented in public sources
Vendor Advisory: https://web.archive.org/web/20211024224240/http://www.tg8security.com/
Restart Required: No
Instructions:
1. Contact TG8 Security for latest firmware updates. 2. Apply firmware patch from vendor. 3. Verify runphpcmd.php endpoint is no longer accessible or properly secured.
🔧 Temporary Workarounds
Block runphpcmd.php endpoint
allUse firewall rules or web server configuration to block access to the vulnerable endpoint
# Example using iptables: iptables -A INPUT -p tcp --dport 80 -m string --string "runphpcmd.php" --algo bm -j DROP
# Example using Apache: <Location "/runphpcmd.php"> Require all denied </Location>
Remove vulnerable file
linuxDelete or rename the runphpcmd.php file if not needed
rm /path/to/runphpcmd.php
mv /path/to/runphpcmd.php /path/to/runphpcmd.php.disabled
🧯 If You Can't Patch
- Immediately isolate TG8 Firewall from internet and restrict internal access to management interface
- Implement strict network segmentation and monitor all traffic to/from the firewall device
🔍 How to Verify
Check if Vulnerable:
Attempt to access https://[firewall-ip]/runphpcmd.php with POST request containing syscmd parameter. If command executes, device is vulnerable.Check Version:
Check web interface or SSH into device and check firmware version. Specific command varies by TG8 model.Verify Fix Applied:
Verify runphpcmd.php endpoint returns 404/403 error or no longer executes commands. Check with vendor for patched firmware version.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /runphpcmd.php
- Unusual system commands executed from web process
- Root privilege escalation from web user
Network Indicators:
- HTTP traffic to firewall on unusual ports
- POST requests with syscmd parameter containing shell metacharacters
- Outbound connections from firewall to suspicious IPs
SIEM Query:
source="firewall_logs" AND (url="*runphpcmd.php*" OR (method="POST" AND uri="*runphpcmd.php*"))🔗 References
- https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/
- https://web.archive.org/web/20211024224240/http://www.tg8security.com/
- https://www.vulncheck.com/advisories/tg8-firewall-unauthenticated-rce-via-runphpcmd-php
- https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/
