CVE-2021-36380

What is Sunhillo SureLine?

Sunhillo Corporation manufactures radar data processing appliances used in critical infrastructure — specifically in air traffic control, military surveillance, and transportation monitoring systems. The SureLine product processes radar track data from multiple sensor sources and distributes it to displays and recording systems. Because SureLine devices are deployed in safety-critical aviation and defense environments, vulnerabilities in these systems carry significant national security implications. A compromised radar data processing system could be used for persistence in critical infrastructure networks or to disrupt situational awareness systems.

Overview

CVE-2021-36380 is an OS command injection vulnerability (CWE-78) in the Sunhillo SureLine network diagnostic CGI script. The /cgi/networkDiag.cgi script accepts ipAddr and dnsAddr parameters and passes them to OS commands without sanitizing shell metacharacters. An unauthenticated remote attacker can inject arbitrary OS commands that execute with root privileges on the SureLine appliance. CISA added this to KEV in March 2024 — nearly three years after the original advisory — reflecting confirmed exploitation in the wild against critical infrastructure.

Affected Versions

Technical Details

The SureLine network diagnostic CGI script is intended to allow administrators to run network diagnostic tests (ping, DNS lookup) from the web interface. The script passes the user-supplied ipAddr and dnsAddr parameters directly to OS commands without sanitization:

• Root cause: OS command injection (CWE-78) — user-supplied IP address and DNS address parameters are passed to shell commands (ping, nslookup) without metacharacter filtering
• Injection vector: Semicolons, backticks, $(...) syntax, and other shell metacharacters in the parameter values cause additional commands to execute
• Authentication required: None — the CGI script is accessible without authentication
• Execution context: Commands execute as root on the SureLine appliance
• Network position: SureLine devices may be on operational technology (OT) networks that connect to radar sensors and air traffic management systems

Discovery

Identified by security researchers studying industrial and aviation infrastructure security. The three-year gap between the 2021 advisory and the 2024 CISA KEV addition indicates sustained exploitation against unpatched systems in critical infrastructure environments.

Exploitation Context

The CISA KEV addition in March 2024 reflects confirmed exploitation of SureLine devices. Critical infrastructure devices like SureLine are attractive long-term access targets for nation-state actors seeking persistent presence in transportation and defense networks. Command injection on a radar data processing appliance could enable eavesdropping on radar track data, disruption of data feeds, or lateral movement into connected aviation management networks.

Remediation

1. Apply the Sunhillo firmware update per Security Advisory FB011
2. Restrict network access to the SureLine web management interface to authorized maintenance workstations only — it should not be accessible from untrusted networks
3. Implement network segmentation to isolate SureLine appliances from corporate IT networks and the internet
4. Review SureLine access logs for unexpected HTTP requests to /cgi/networkDiag.cgi containing shell metacharacters
5. If compromise is suspected, perform a full system integrity check and contact Sunhillo for incident response guidance
6. Follow CISA's operational technology security guidance for securing critical infrastructure devices