CVE-2021-33903 in LCOSinfo

Summary

by MITRE • 10/07/2021

In LCOS 10.40 to 10.42.0473-RU3 with SNMPv3 enabled on LANCOM devices, changing the password of the root user via the CLI does not change the password of the root user for SNMPv3 access. (However, changing the password of the root user via LANconfig does change the password of the root user for SNMPv3 access.)

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 10/10/2021

This vulnerability affects LANCOM devices running LCOS version 10.40 through 10.42.0473-RU3 where SNMPv3 is enabled. The core issue lies in the inconsistent password synchronization between the command line interface and the web-based configuration management system. When administrators modify the root user password through the CLI, the change only applies to the local shell authentication mechanism but fails to propagate to the SNMPv3 authentication credentials. This creates a critical discrepancy where the root user can authenticate locally via CLI but remains accessible via SNMPv3 with the old password, effectively maintaining unauthorized remote access capabilities.

The technical flaw stems from improper credential management within the device's authentication subsystem. According to CWE-601, this represents a URL redirection vulnerability where the system fails to properly synchronize authentication states across different access methods. The vulnerability manifests as a credential synchronization issue where the same user account exists with different passwords across multiple authentication mechanisms. This design flaw allows attackers to maintain access through SNMPv3 even after legitimate password changes through CLI, creating a persistent backdoor that bypasses standard security controls.

The operational impact of this vulnerability is significant for network security posture and compliance requirements. Organizations using LANCOM devices in regulated environments face potential violations of security standards such as NIST SP 800-53 controls for access control and audit logging. The vulnerability enables privilege escalation attacks where unauthorized users can maintain persistent access to critical network infrastructure through SNMPv3 while appearing to have changed passwords through legitimate administrative procedures. This creates confusion in audit trails and undermines the principle of least privilege enforcement.

Security professionals should implement immediate mitigations including disabling SNMPv3 when not required, implementing strict network segmentation to limit SNMP access, and conducting comprehensive credential audits across all authentication mechanisms. According to MITRE ATT&CK framework, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it enables attackers to maintain persistent access and potentially escalate privileges through the misconfigured authentication system. Organizations should also enforce mandatory password change policies across all authentication interfaces and implement monitoring for unauthorized SNMP access attempts. The recommended remediation involves applying the vendor-provided security patch that ensures consistent password synchronization between CLI and web-based configuration management systems, thereby preventing the credential desynchronization that enables persistent unauthorized access.

Reservation

06/07/2021

Disclosure

10/07/2021

Moderation

accepted

CPE

ready

EPSS

0.01066

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!