cbcvebase.
CVE-2021-44736
published 2022-01-20

CVE-2021-44736: The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature.

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.43%
82.2th percentile
The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature.

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://target/cgi-bin/sniffcapture_post
path/usr/share/web/cgi-bin
path/usr/bin/collect-selogs-wrapper
path/usr/bin/collect-selogs.sh
processcollect-selogs-wrapper
  • Monitor for unauthenticated HTTP requests to /cgi-bin/sniffcapture_post on Lexmark devices, particularly those containing shell metacharacters in the -F (filter) parameter, which is passed unsanitized to eval.
  • The shell command injection vulnerability (CVE-2021-44735) is exploitable only after CVE-2021-44736 resets authentication; detect the 'out of service erase' / initial setup wizard being triggered from an unauthenticated session as a precursor indicator.
  • The web process runs as uid=985(httpd); privilege escalation to root is achieved via the SUID binary collect-selogs-wrapper which calls execv() without sanitizing $PATH. Alert on unexpected processes spawned by httpd (uid 985) with elevated privileges.
  • The sniffcapture_post CGI script passes the unsanitized 'filter' field (supplied via -F argument) into an eval call; network signatures should look for POST bodies containing shell injection payloads in the -F parameter to this endpoint.
  • Affected firmware versions are CXLBL.075.272 (2021-07-29) and CXLBL.075.281 (2021-10-14) on Lexmark MC3224; inventory devices running these versions as they are exploitable.
  • ·CVE-2021-44736 (Authentication Reset) is NOT fixed by the firmware update CXLBL.076.294; users must implement a separate workaround per the Lexmark Security Alert. The firmware update only addresses CVE-2021-44735 (Shell Command Injection).
  • ·The two CVEs form a chained exploit: CVE-2021-44736 must be triggered first to reset authentication and expose the web interface, before CVE-2021-44735 (command injection via sniffcapture_post) can be exploited by an unauthenticated attacker.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.