Command Injection in Multiple Snap One Araknis Networks Products
CVE-2021-40144, CVE-2021-40844, CVE-2021-42661: Command Injection vulnerabilities in Snap One Araknis Networks® switches and access points.
Stroz Friedberg’s Cyber Solutions discovered multiple command injection vulnerabilities affecting a number of Snap One Araknis Networks® switches and access points. The list of affected products and firmware versions can be found below. The vulnerabilities were discovered by Stroz Friedberg’s Cyber Solutions team member Howard McGreehan.
Stroz Friedberg would like to thank Snap One for working with us as part of our coordinated disclosure process.
Timeline:
- 03/21/21 – Initial disclosure to Security@SnapAV.com
- 06/01/21 – Issues confirmed by Snap One, firmware upgrade release dates set
- 10/05/21 – Patches released
- 06/07/22 – Stroz Friedberg advisory released
Vulnerability Listing / Credits:
- CVE-2021-40144 – Command Injection in datajson.cgi
- CVE-2021-40844 – Command Injection in OpenWRT LuCI
- CVE-2021-42661 – Command Injection in OpenWRT LuCI
Affected Products:
According to the vendor, the following products and firmware versions are affected:
Command Injection in Multiple Snap One Araknis Networks Products
Overview
Multiple Snap One Araknis Networks products are vulnerable to authenticated command injection attacks within their administrative panels. This vulnerability can be triggered by sending specially crafted HTTP requests to affected models’ onboard, web-based networking tools. Exploiting these vulnerabilities allows the attacker to fully takeover the devices as the root user and may be leveraged via Cross-Site Request Forgery (CSRF).
Remediation
Firmware updates may be obtained through Snap One Partners or from the Snap One Product Support section.
Vendor Thanks:
https://www.control4.com/company/privacy-and-security/thank-you-white-hats