CVE-2021-4471
📋 TL;DR
TG8 Firewall exposes the /data/ directory via HTTP without authentication, allowing remote attackers to download credential files containing usernames and passwords. This affects all TG8 Firewall installations with the vulnerable configuration, enabling unauthorized access to firewall management and potentially internal networks.
💻 Affected Systems
- TG8 Firewall
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of firewall administration, lateral movement into internal networks, and potential data exfiltration or ransomware deployment.
Likely Case
Unauthenticated attackers obtain valid credentials, gain administrative access to firewall, and modify rules to allow further attacks.
If Mitigated
Limited to credential exposure without successful authentication or lateral movement due to network segmentation.
🎯 Exploit Status
Simple HTTP directory traversal/listing attack with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - check vendor advisory
Vendor Advisory: https://www.tg8security.com/ (site may be archived)
Restart Required: Yes
Instructions:
1. Contact TG8 Security for latest firmware. 2. Backup configuration. 3. Apply firmware update. 4. Restart firewall. 5. Verify /data/ directory is no longer accessible without authentication.
🔧 Temporary Workarounds
Block HTTP access to /data/ directory
allConfigure firewall rules to block external HTTP access to the /data/ path
# Configure in TG8 Firewall web interface: Firewall Rules -> Block HTTP to /data/*
Implement authentication for web interface
allEnsure web interface requires authentication before serving any content
# Configure in TG8 Firewall: System -> Web Interface -> Enable authentication
🧯 If You Can't Patch
- Isolate firewall management interface to trusted network segments only
- Implement network-based intrusion detection to monitor for /data/ directory access attempts
🔍 How to Verify
Check if Vulnerable:
Attempt HTTP GET request to http://[firewall-ip]/data/ - if directory listing or file download succeeds without authentication, system is vulnerable.Check Version:
Login to TG8 Firewall web interface and check System -> About or use SSH/Telnet to check versionVerify Fix Applied:
Repeat vulnerability check - should receive authentication prompt or access denied. Verify no credential files are accessible.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /data/ path from unauthenticated sources
- Multiple failed authentication attempts followed by /data/ access
Network Indicators:
- HTTP traffic to firewall on port 80/443 containing /data/ in URI
- Unusual file downloads from firewall web interface
SIEM Query:
source="firewall_logs" AND (uri="/data/*" OR uri CONTAINS "/data/") AND auth_status="failed"🔗 References
- https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/
- https://web.archive.org/web/20211024224240/http://www.tg8security.com/
- https://www.vulncheck.com/advisories/tg8-firewall-unauthenticated-user-password-disclosure
- https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/
