Login Sign Up

CVE-2021-45885

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Stormshield Network Security (SNS) allows attackers to potentially access SSH accounts using old passwords that weren't properly cleared during password changes. It affects organizations running SNS firewalls between versions 4.2.2 and 4.2.7 during specific update-migration scenarios.

💻 Affected Systems

Products:
  • Stormshield Network Security (SNS)
Versions: 4.2.2 through 4.2.7
Operating Systems: Stormshield proprietary OS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems that underwent specific update-migration scenarios where SSH password changes occurred.

📦 What is this software?

Network Security by Stormshield

View all CVEs affecting Network Security →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent SSH access to firewall management interfaces, potentially compromising network security controls and enabling lateral movement.

🟠

Likely Case

Unauthorized SSH access to firewall management, allowing configuration changes, rule modifications, or credential harvesting.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and monitoring of SSH access patterns.

🌐 Internet-Facing: MEDIUM - SSH management interfaces should not be internet-facing, but misconfigurations could expose them.
🏢 Internal Only: HIGH - Internal attackers or compromised internal systems could exploit this to gain firewall access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires knowledge of old SSH passwords and access to SSH interface. Specific migration scenario needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.8

Vendor Advisory: https://advisories.stormshield.eu/2021-069/

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download SNS 4.2.8 from Stormshield portal. 3. Apply update via web interface or CLI. 4. Restart firewall. 5. Verify SSH password changes work correctly.

🔧 Temporary Workarounds

Force SSH password reset

all

Manually reset SSH passwords for all accounts to ensure old credentials are cleared

ssh admin@firewall_ip
passwd
Enter new password twice

Disable SSH access

all

Temporarily disable SSH management if not required

Configure via web interface: Administration > Access > SSH > Disable

🧯 If You Can't Patch

  • Implement network segmentation to restrict SSH access to management networks only
  • Enable multi-factor authentication for SSH access and monitor SSH login attempts

🔍 How to Verify

Check if Vulnerable:

Check SNS version via web interface (Dashboard > System Information) or CLI command 'show version'

Check Version:

show version | grep Version

Verify Fix Applied:

After updating to 4.2.8, change SSH password and verify old password no longer works

📡 Detection & Monitoring

Log Indicators:

  • Failed SSH login attempts with old passwords
  • Multiple SSH password change events
  • Unusual SSH access patterns

Network Indicators:

  • SSH connections from unexpected sources
  • SSH brute force attempts

SIEM Query:

source="stormshield" AND (event="ssh_failed" OR event="password_change")

📊 Metadata

CVE ID: CVE-2021-45885
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-613
Published: December 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45885, you might also want to check these:

CVE-2024-8888 10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication token...

Same vulnerability type (CWE-613)
CVE-2023-5865 9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended ...

Same vulnerability type (CWE-613)
CVE-2024-25718 9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain ...

Same vulnerability type (CWE-613)