CVE-2021-45987 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Tenda G1 and G3 routers by injecting malicious input into the hostName parameter of the formSetNetCheckTools function. Attackers can gain full control of affected routers, potentially compromising network security. Users of Tenda G1 and G3 routers with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Tenda G1 Router
Tenda G3 Router

Versions: v15.11.0.17(9502)_CN

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Chinese firmware version. Other regional firmware versions may also be vulnerable but unconfirmed.

📦 What is this software?

G1 Firmware by Tendacn

View all CVEs affecting G1 Firmware →

G3 Firmware by Tendacn

View all CVEs affecting G3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the router as a botnet node.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of cryptocurrency miners or other malware.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires network access to router web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for your router model
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and install new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Network Segmentation

all

Isolate router management interface to trusted network

🧯 If You Can't Patch

Replace affected routers with different models or brands
Place routers behind dedicated firewall with strict inbound filtering

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version matches v15.11.0.17(9502)_CN, router is vulnerable.

Check Version:

Login to router web interface and check System Status or Firmware Version page

Verify Fix Applied:

Verify firmware version has been updated to a newer version than v15.11.0.17(9502)_CN.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to formSetNetCheckTools with shell metacharacters in parameters
Unexpected command execution in system logs

Network Indicators:

Unusual outbound connections from router
DNS queries to suspicious domains
Unexpected SSH or telnet connections from router

SIEM Query:

source="router_logs" AND (uri="*/goform/setNetCheckTools" AND (param="hostName" CONTAINS "|" OR param="hostName" CONTAINS ";" OR param="hostName" CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2021-45987

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_3/3.md Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/218961 Third Party Advisory
https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_3/3.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45987, you might also want to check these: