CVE-2021-44776 The SubNet_handler_func function has a broken access control vulnerability that allows an attacker to change the security access rights to KVM and Virtual Media functionalities.

CVE-2021-44776 The SubNet_handler_func function has a broken access control vulnerability that allows an attacker to change the security access rights to KVM and Virtual Media functionalities.

All users are advised to upgrade to a fixed version as soon as possible. In addition, all Lanner users are advised to update to the latest version of the firmware and apply the security patch as soon as possible. Lanner has implemented the following steps to address this issue: Lanner has updated the SubNet_handler_func function in the spx_restservice code to close all the open access rights after successful completion of a request.

function in the code to close all the open access rights after successful completion of a request. Lanner has updated the SubNet_handler_func function in the spx_restservice code to drop all the open access rights after failed completion of a request.

function in the code to drop all the open access rights after failed completion of a request. Lanner has updated the SubNet_handler_func function in the spx_restservice code to close all the open access rights before execution. This can be done by checking the user_access variable with a specific value.

function in the code to close all the open access rights before execution. This can be done by checking the variable with a specific value. Lanner has updated the SubNet_handler_func function in the spx_restservice code to drop all the open access rights before execution. This can be done by checking the user_access variable with a specific value.

function in the code to drop all the open access rights before execution.

Mitigation Steps for Users

Installing Lanner
If you have already installed Lanner, we recommend you to update to the latest version of the firmware and apply the security patch as soon as possible.
If you do not have a current version of the firmware and are unable to update your system, please follow these steps to perform manual firmware updates:
1. Download updated firmware from Lanner website: http://lanner.co.kr/downloads/firmware.html
2. Extract downloaded file in any folder on your computer (not USB memory)
3. Power off LANNER device and remove the power cable from LANNER device for 30 seconds or more
4. Update LANNER device by pressing and holding "POWER" button for 3 seconds or more until LED starts blinking green
5. Connect LANNER device with power cable again after updating

Latest Firmware and Network Configuration Steps

For those who have updated to the latest firmware, please ensure that the Lanner Network Configuration tool is up-to-date and configured properly.

* Update to the latest firmware and apply the security patch as soon as possible.
* Open the Lanner Network Configuration tool on Windows or Mac and update to the latest version of the tool.
* If you are using a Linux operating system, please apply commands provided in this table:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install curl -y && sudo curl https://www.lerna.net/install /etc/apt/sources.list.d/lerna.list -o /etc/apt/sources.list.d/lerna.list && sudo apt-get update -y && sudo apt-get install lerna -y
* Apply appropriate changes in your network configuration file:
# vi /etc/network/interfaces    # auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 gateway 192 .168 .1 .1 dns-nameservers 8 .8 .8 .8 dns-search lanner dhcp allow bootp :: 1 # vi /etc/hosts    # :: 1 localhost localhost lanner 127

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe