CVE-2021-27561
published 2021-10-15CVE-2021-27561: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
82.52%
99.6th percentile
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yealink | device_management | <= 3.6.0.20 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone=;/usr/bin/id;↗
port9600
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_20;)
- →Exploit requests are unauthenticated GET requests to /premise/front/getPingData with a url parameter proxying to the internal port 9600 SSRF endpoint; the zone parameter contains the injected shell command. ↗
- →Successful exploitation returns a JSON response body containing uid=, gid=, and groups= strings (output of /usr/bin/id running as root); match all three in the response body with Content-Type: application/json. ↗
- →Use the regex (u|g)id=.* against the HTTP response body to extract and confirm root-level command execution output. ↗
- →The Emerging Threats Snort rule (sid:2032095) fires on HTTP URIs starting with /premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone= inbound to the protected network.
- →This vulnerability is tagged as associated with Mirai botnet activity; correlate exploitation attempts with subsequent Mirai C2 or bot propagation traffic. ↗
- ·The SSRF pivot uses the fixed internal address 0.0.0.0 on port 9600; the outer SSRF endpoint (/premise/front/getPingData) is the externally reachable attack surface, while the actual command injection occurs on the internal management API. ↗
- ·No authentication is required to reach either the SSRF endpoint or the internal command-injection API; network-level blocking of external access to the Yealink DM web interface is the primary mitigation until patching. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-27561 [CRITICAL] CWE-78 Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
Vulnerability: Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
Affected: Yealink Device Management
Yealink Device Management contains a server-side request forgery (SSRF) vulnerability that allows for unauthenticated remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-27561
Remediation Due Date: 2021-11-17
GHSA
GHSA-743m-83p4-9349: Yealink Device Management (DM) 3
ghsa_unreviewed·2022-05-24
CVE-2021-27561 [CRITICAL] CWE-77 GHSA-743m-83p4-9349: Yealink Device Management (DM) 3
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
VulnCheck
Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-27561 [CRITICAL] CWE-78 Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
Yealink Device Management contains a server-side request forgery (SSRF) vulnerability that allows for unauthenticated remote code execution.
Affected: Yealink Device Management
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; https://dashboard.shadowserver.org/statist
Suricata
ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)
suricata·2021-03-17·CVSS 9.8
CVE-2021-27561 [CRITICAL] ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)
ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561, deployment Perimeter, per
Nuclei
YeaLink DM 3.6.0.20 - Remote Command Injection
nuclei·CVSS 9.8
CVE-2021-27561 [CRITICAL] YeaLink DM 3.6.0.20 - Remote Command Injection
YeaLink DM 3.6.0.20 - Remote Command Injection
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
Template:
id: CVE-2021-27561
info:
name: YeaLink DM 3.6.0.20 - Remote Command Injection
author: shifacyclewala,hackergautam
severity: critical
description: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.
remediation: |
Update to the latest firmware version provided by the vendor to mitigate this vulnerability.
reference:
- https://ssd-disclosure.com/ssd-advisory-yealink-dm
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
blogs_fortinet·2023-10-09·CVSS 9.8
[CRITICAL] IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
By Cara Lin | October 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ran
Fortinet
The Ghosts of Mirai | FortiGuard Labs
blogs_fortinet·2021-06-24
The Ghosts of Mirai | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Ghosts of Mirai
By David Maciejak and Joie Salvio | June 24, 2021
FortiGuard Labs Threat Research Report
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.
IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2019-19356 [HIGH] New Mirai Variant Targeting Network Security Devices
Threat Research Center
Threat Research
Vulnerabilities
## New Mirai Variant Targeting Network Security Devices
Vaibhav Singhal
Ruchna Nigam
Zhibin Zhang
Asher Davila
Published: March 15, 2021
Threat Research
Vulnerabilities
CVE-2019-19356
CVE-2020-25506
CVE-2020-26919
CVE-2021-22502
CVE-2021-27561
CVE-2021-27562
IoT
Mirai
VisualDoor
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
VisualDoor (a SonicWall SSL-VPN exploit).
CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2020-25506 [HIGH] New Mirai Variant Targeting Network Security Devices
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
- VisualDoor (a SonicWall SSL-VPN exploit).
- CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
- CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
- Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
- Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved in the attack was updated to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, mere hours after vulnerability details were published. On March 3, 2021, the same samples were served from a third IP address, with the addition of an exploit leveraging CVE-2021-22502. Furthermore, on March 13, an exploit targeting CVE-2020-26919 was also
Greynoiseio
Malicious Tag Roundup (October 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (October 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-10-15
Published
2021-11-03
Added to CISA KEV
Exploited in the wild