CVE-2021-38759
published 2021-12-07CVE-2021-38759: Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.67%
96.4th percentile
Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| raspberrypi | raspberry_pi_os_lite | <= 5.10 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSH login attempts using the default username 'pi' and password 'raspberry' against any host, indicative of CVE-2021-38759 exploitation. ↗
- →Monitor for successful SSH authentication as user 'pi' followed immediately by execution of the 'id' command, which is the post-exploitation step in the published PoC. ↗
- →Alert on SSH connections using the Paramiko Python library (identifiable via its SSH client banner/user-agent string) authenticating as 'pi', as the PoC exploit is implemented in Python using Paramiko. ↗
- ·The default credentials are only exploitable if the 'pi' account password has not been changed from the default 'raspberry'; systems where the password has been updated are not vulnerable. ↗
- ·The exploit requires SSH to be enabled and reachable on the target Raspberry Pi device; SSH is not enabled by default on all Raspberry Pi OS versions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Use of Default Credentials
mitre_cwe·CVSS 8.1
[HIGH] CWE-1392 Use of Default Credentials
CWE-1392: Use of Default Credentials
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
It is common practice for products to be designed to use
default keys, passwords, or other mechanisms for
authentication. The rationale is to simplify the
manufacturing process or the system administrator's task of
installation and deployment into an enterprise. However, if
admins do not change the defaults, it is easier for attackers
to bypass authentication quickly across multiple
organizations.
Modes of Introduction:
Phase: Architecture and Design
Common Consequences:
Scope: Authentication. Impact: Gain Privileges or Assume Identity.
Potential Mitigations:
[Requirements] Prohibit use of default, hard-coded, or other values that
CWE
Use of Default Password
mitre_cwe
CWE-1393 Use of Default Password
CWE-1393: Use of Default Password
The product uses default passwords for potentially critical functionality.
It is common practice for products to be designed to use
default passwords for authentication. The rationale is to
simplify the manufacturing process or the system
administrator's task of installation and deployment into an
enterprise. However, if admins do not change the defaults,
then it makes it easier for attackers to quickly bypass
authentication across multiple organizations. There are many
lists of default passwords and default-password scanning tools
that are easily available from the World Wide Web.
Modes of Introduction:
Phase: Architecture and Design
Common Consequences:
Scope: Authentication. Impact: Gain Privileges or Assume Identity.
Potential Mitigations:
[Requir
CWE
Use of Weak Credentials
mitre_cwe
CWE-1391 Use of Weak Credentials
CWE-1391: Use of Weak Credentials
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Hard-coded (i.e., static and unchangeable by the administrator) Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) Predictable
http://packetstormsecurity.com/files/165211/Raspberry-Pi-5.10-Default-Credentials.htmlhttps://arstechnica.com/gadgets/2022/04/raspberry-pi-os-axes-longstanding-default-user-account-in-the-name-of-security/https://www.cnvd.org.cn/flaw/show/CNVD-2021-43968https://www.raspberrypi.com/documentation/computers/configuration.html#change-the-default-passwordhttp://packetstormsecurity.com/files/165211/Raspberry-Pi-5.10-Default-Credentials.htmlhttps://arstechnica.com/gadgets/2022/04/raspberry-pi-os-axes-longstanding-default-user-account-in-the-name-of-security/https://www.cnvd.org.cn/flaw/show/CNVD-2021-43968https://www.raspberrypi.com/documentation/computers/configuration.html#change-the-default-password
2021-12-07
Published