CVE-2021-36380
published 2021-08-13CVE-2021-36380: Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-03-26
Exploited in the wild
EPSS
97.60%
99.9th percentile
Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sunhillo | sureline | < 8.7.0.1.1 | 8.7.0.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/networkDiag.cgi"; http.request_body; content:"command="; startswith; nocase; content:"&ipAddr="; nocase; content:"&dnsAddr=|24 28|"; nocase; fast_pattern; reference:cve,2021-36380; classtype:attempted-admin; sid:2033459; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_36380, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|24 28|
- →Exploit arrives as an HTTP POST to /cgi/networkDiag.cgi with shell metacharacters (e.g., $() subshell syntax) injected into the dnsAddr parameter. Body starts with 'command=' and contains both '&ipAddr=' and '&dnsAddr=$(' fields. ↗
- →The Snort/ET rule keys on the byte sequence |24 28| (ASCII for '$(' — the start of a shell command substitution) immediately following '&dnsAddr=' in the POST body. Use this as a fast-pattern anchor.
- →Exploitation can result in outbound reverse TCP connections or outbound HTTP requests (e.g., wget) from the SureLine device to attacker-controlled infrastructure. Monitor for unexpected outbound connections originating from SureLine hosts.
- →CISA KEV notes the vulnerability is also used for persistence on the network, not just one-time RCE. Treat any confirmed exploitation as a potential persistence indicator requiring full host investigation. ↗
- ·The vulnerability is unauthenticated — no session token or credential is required to exploit it. Detection rules must not rely on authentication-failure events as a precursor. ↗
- ·Both the ipAddr and dnsAddr POST parameters are injectable. Detection logic should cover shell metacharacters in either parameter, not just dnsAddr. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Sunhillo SureLine OS Command Injection Vulnerablity
cisa·2024-03-05·CVSS 9.8
CVE-2021-36380 [CRITICAL] CWE-78 Sunhillo SureLine OS Command Injection Vulnerablity
Vulnerability: Sunhillo SureLine OS Command Injection Vulnerablity
Affected: Sunhillo SureLine
Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.sunhillo.com/fb011/; https://nvd.nist.gov/vuln/detail/CVE-2021-36380
Remediation Due Date: 2024-03-26
GHSA
GHSA-76jq-2jjj-76w4: Sunhillo SureLine before 8
ghsa_unreviewed·2022-05-24
CVE-2021-36380 [CRITICAL] CWE-78 GHSA-76jq-2jjj-76w4: Sunhillo SureLine before 8
Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.
VulnCheck
Sunhillo SureLine OS Command Injection Vulnerablity
vulncheck·2021·CVSS 9.8
CVE-2021-36380 [CRITICAL] CWE-78 Sunhillo SureLine OS Command Injection Vulnerablity
Sunhillo SureLine OS Command Injection Vulnerablity
Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.
Affected: Sunhillo SureLine
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; https://vulncheck.com/blog/real-world-cve-2023-43261; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-17&host_type=src&vulnerability=cve-2021-36380; https://dashboard.shadowserver.org
Suricata
ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)
suricata·2021-07-27·CVSS 9.8
CVE-2021-36380 [CRITICAL] ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)
ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/networkDiag.cgi"; http.request_body; content:"command="; startswith; nocase; content:"&ipAddr="; nocase; content:"&dnsAddr=|24 28|"; nocase; fast_pattern; reference:cve,2021-36380; classtype:attempted-admin; sid:2033459; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_36380, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mit
Nuclei
Sunhillo SureLine <8.7.0.1.1 - Unauthenticated OS Command Injection
nuclei·CVSS 9.8
CVE-2021-36380 [CRITICAL] Sunhillo SureLine <8.7.0.1.1 - Unauthenticated OS Command Injection
Sunhillo SureLine <8.7.0.1.1 - Unauthenticated OS Command Injection
Sunhillo SureLine <8.7.0.1.1 is vulnerable to OS command injection. The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.
Template:
id: CVE-2021-36380
info:
name: Sunhillo SureLine <8.7.0.1.1 - Unauthenticated OS Command Injection
author: gy741
severity: critical
description: Sunhillo SureLine <8.7.0.1.1 is vulnerable to OS command injection. The /cgi/networkDiag.cgi script direc
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
blogs_fortinet·2023-10-09·CVSS 9.8
[CRITICAL] IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
By Cara Lin | October 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ran
https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/https://www.sunhillo.com/product/sureline/https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/https://www.sunhillo.com/product/sureline/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36380
2021-08-13
Published
2024-03-05
Added to CISA KEV
Exploited in the wild