Digital Defense, Inc. is disclosing a vulnerability identified in NETSHIELD Corporation Nano 25 discovered by our Vulnerability Research Team (VRT). The engineers at NETSHIELD Corporation were prompt in their response when notified of the flaw and have provided a patch for the cyber security issue.
NETSHIELD Corporation has released a patch for the affected Nano 25 version 10.2.18.
Digital Defense’s Frontline Vulnerability Manager™ will not include an explicit check for this vulnerability due to the requirement of valid credentials to trigger it.
Details of the vulnerability are as follows:
DDI-VRT-2020-06 – NETSHIELD Corporation Nano 25 Authenticated Root Command Injection (CVE-2021-3149)
Post Authentication Root Command Injection
An authenticated attacker could leverage this vulnerability to execute arbitrary operating system commands with root privileges.
NETSHIELD Corporation Nano 25 version 10.2.18
The Perl script manual_ping.cgi hosted in /usr/local/webmin/System/ passes user input to system() that is not sufficiently filtered. This allows an attacker to inject shell commands.