CVE-2021-27561: 
Yealink Device Management vulnerability analysis and mitigation

Yealink Device Management (DM) version 3.6.0.20 and prior versions contain a critical remote code execution vulnerability identified as CVE-2021-27561. The vulnerability allows unauthenticated attackers to execute arbitrary commands with root privileges via the /sm/api/v1/firewall/zone/services URI. This vulnerability was discovered in February 2021 and publicly disclosed by security researchers Pierre Kim and Alexandre Torres through the SSD Secure Disclosure program (SSD Advisory).

The vulnerability stems from a command injection flaw in the smserver daemon running as root on port 9600/tcp. The exploitation chain involves chaining a pre-authentication Server-Side Request Forgery (SSRF) vulnerability with a command injection vulnerability. The attack path flows through Nginx (port 443) to NodeJS (port 9880) and finally to smserver, where the command injection occurs in the fwrestfulserviceget() function located in the module /usr/local/yealink/smserver/mod/modfirewall.so. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows attackers to execute arbitrary commands with root-level privileges on the affected system without requiring authentication. This gives attackers complete control over the affected device, potentially enabling them to access sensitive information, modify system configurations, and use the compromised system as a foothold for further network attacks (SSD Advisory).

Yealink indicated they would release a new version with security fixes in early 2021. Organizations should update to the latest version of Yealink Device Management platform when available. As temporary mitigations, organizations should ensure the affected systems are not directly accessible from the internet and implement strong network segmentation controls (SSD Advisory).