RaspAP < v3.1.5 - Arbitrary Command Execution (RCE) via Critical File Permission Flaw in RestAPI Service Configuration (CVE-2024-41637)

Background & Context

RaspAP provides a simple wireless AP setup & management for Debian-based devices, including the Raspberry Pi. RaspAP includes a mobile-ready GUI interface that offers control over the relevant services and networking options. It is designed to transform a Raspberry Pi into a wireless hotspot or router. The tool is particularly popular in educational settings and IoT applications. Advanced DHCP settings, WireGuard and OpenVPN support, SSL certificates, security audits, captive portal integration, themes and multilingual options are included.

Vulnerability Summary

RaspAP contains a critical security vulnerability: the www-data user has write access to the critical $webroot_dir/installers/restapi.service file, which typically resolves to the path /lib/systemd/system/restapi.service. This configuration file defines several properties of the Rest API (web UI) service. Critically, the configuration file contains two directives ExecStart and ExecStop, which respectively define paths to commands be run on the start and stop of the RestAPI service. Since the service start/stop are performed by the root user, they allow unrestricted system operations to be performed.

Because the www-data user has (improper) write access to the configuration file, they are able to modify the commands that are executed on service start/stop by, for example, performing a chmod operation on the /bin/bash shell binary in order to set the SUID flag on the file. A file with SUID bit set always executes as the user who owns the file (in this case the superuser root, regardless of the user passing the command. Hence, on service restart, the low-privilege www-data user gains the ability to execute arbitrary (malicious) bash shell commands.

Impact If Exploited

Successful exploit allows an attacker to escalate privileges. The combination of permission and ownership management flaws allows a remote attacker to modify the system configuration to permit the execution of arbitrary code with root privileges, escalating their access from www-data to superuser (root) context.

This vulnerability has not yet been reported by the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploit) and there is no current reports of it being currently actively exploited in the wild as of 2024-08-08, however the vulnerability is trivial to achieve and exploit code for the 0-day is publicly available 'in the wild'. Prioritisation should be given to remediation in any impacted environment.

Affected Product Versions

• All RaspAP versions prior to release 3.1.5

Indicators of Compromise (IoC)

The vendor has not published a list of indicators of compromise (IoC) at the time of writing.

Official Fix & Remediation Guidance

The vulnerability has been addressed in version 3.1.5. Customers are advised to upgrade to the latest version of the impacted product as soon as possible.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisories

• * https://github.com/RaspAP/raspap-webgui/pull/1630

Third-Party Analysis & Threat Intelligence

• https://blog.0xzon.dev/2024-07-27-CVE-2024-41637/

• https://thehackernews.com/2024/08/roundcube-webmail-flaws-allow-hackers.html

PoC and Exploit Code

• TBC