cbcvebase.
CVE-2021-33393
published 2021-06-09

CVE-2021-33393: lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
58.73%
99.0th percentile
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.

Affected

2 ranges
VendorProductVersion rangeFixed in
ipfireipfire< 2.252.25
ipfireipfire

Detection & IOCsextracted from sources · hover to see the quote

path/var/ipfire/backup/bin/backup.pl
filenamebackup.pl
commandINSPAKS=7zip;<command>&ACTION=install
  • Monitor POST requests to /cgi-bin/pakfire.cgi where the INSPAKS parameter contains a semicolon (;), indicating command injection attempts appended to a package name.
  • Alert on authenticated POST requests to /cgi-bin/pakfire.cgi with ACTION=install and INSPAKS values containing shell metacharacters (e.g., semicolons).
  • Audit ownership and permissions of /var/ipfire/backup/bin/backup.pl; flag if not owned by root, as it may indicate a planted Trojan horse script.
  • Detect the exploit's characteristic HTTP headers: presence of both 'Sec-GPC: 1' and 'Authorization: Basic ...' on POST requests to pakfire.cgi may indicate exploit tooling.
  • ·The exploit requires valid credentials (authenticated RCE); unauthenticated access alone is insufficient to trigger the vulnerability. Detection rules should account for the Basic Auth header being present.
  • ·The NVD description notes that similar ownership/permission problems may exist beyond backup.pl; a broader audit of IPFire file ownership is warranted.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.