CVE-2021-42912

FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands with a semicolon.

CVSS v3.0 8.8 HIGH
CVSS v2.0 9.0 HIGH

8.8^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://fiberhome.com	Broken Link
http://onu.com	Not Applicable
https://medium.com/@windsormoreira/fiberhome-an5506-os-command-injection-cve-2021-42912-10b64fd10ce2	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:fiberhome:an5506-01-a_firmware:rp0509:*:*:*:*:*:*:*

cpe:2.3:h:fiberhome:an5506-01-a:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:fiberhome:an5506-01-b_firmware:rp2610:*:*:*:*:*:*:*

cpe:2.3:h:fiberhome:an5506-01-b:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:fiberhome:an5506-02-b_firmware:rp2520:::::::*
	cpe:2.3:o:fiberhome:an5506-02-b_firmware:rp2521:::::::*
	cpe:2.3:o:fiberhome:an5506-02-b_firmware:rp2603:::::::*

cpe:2.3:h:fiberhome:an5506-02-b:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:fiberhome:an5506-04-b_firmware:rp2510:*:*:*:*:*:*:*

cpe:2.3:h:fiberhome:an5506-04-b:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:fiberhome:an5506-04-f_firmware:rp2617:*:*:*:*:*:*:*

cpe:2.3:h:fiberhome:an5506-04-f:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:fiberhome:aan5506-04-g2g_firmware:rp2560:*:*:*:*:*:*:*

cpe:2.3:h:fiberhome:an5506-04-g2g:-:*:*:*:*:*:*:*

Information

Published : 2021-12-16 09:15

Updated : 2021-12-21 18:40

NVD link : CVE-2021-42912

Mitre link : CVE-2021-42912

JSON object : View

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Products Affected

fiberhome

an5506-01-b
an5506-04-b
an5506-01-b_firmware
an5506-02-b_firmware
an5506-04-f_firmware
an5506-02-b
an5506-04-g2g
an5506-04-f
an5506-01-a
aan5506-04-g2g_firmware
an5506-04-b_firmware
an5506-01-a_firmware

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://fiberhome.com", "name": "http://fiberhome.com", "tags": ["Broken Link"], "refsource": "MISC"}, {"url": "http://onu.com", "name": "http://onu.com", "tags": ["Not Applicable"], "refsource": "MISC"}, {"url": "https://medium.com/@windsormoreira/fiberhome-an5506-os-command-injection-cve-2021-42912-10b64fd10ce2", "name": "https://medium.com/@windsormoreira/fiberhome-an5506-os-command-injection-cve-2021-42912-10b64fd10ce2", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands with a semicolon."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-78"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-42912", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}}, "publishedDate": "2021-12-16T17:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fiberhome:an5506-01-a_firmware:rp0509:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:fiberhome:an5506-01-a:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fiberhome:an5506-01-b_firmware:rp2610:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:fiberhome:an5506-01-b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fiberhome:an5506-02-b_firmware:rp2520:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fiberhome:an5506-02-b_firmware:rp2521:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fiberhome:an5506-02-b_firmware:rp2603:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:fiberhome:an5506-02-b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fiberhome:an5506-04-b_firmware:rp2510:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:fiberhome:an5506-04-b:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fiberhome:an5506-04-f_firmware:rp2617:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:fiberhome:an5506-04-f:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fiberhome:aan5506-04-g2g_firmware:rp2560:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:fiberhome:an5506-04-g2g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-12-22T02:40Z"}

8.8 /10