CVE-2021-38759 Overview
CVE-2021-38759 is an Insecure Default Configuration vulnerability affecting Raspberry Pi OS through version 5.10. The operating system ships with a well-known default password ("raspberry") for the "pi" user account. If administrators fail to change this default credential during initial setup, remote attackers can leverage this weakness to gain administrator privileges on the device, leading to complete system compromise.
Critical Impact
Attackers can gain full administrator privileges on Raspberry Pi devices using the widely-known default credentials, enabling complete system takeover, data theft, botnet recruitment, and lateral movement within networks.
Affected Products
- Raspberry Pi OS Lite (all versions through 5.10)
- Raspberry Pi OS (all versions through 5.10)
- Any Raspberry Pi device running the affected OS with unchanged default credentials
Discovery Timeline
- 2021-12-07 - CVE-2021-38759 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-38759
Vulnerability Analysis
This vulnerability stems from CWE-1188 (Insecure Default Initialization of Resource), where Raspberry Pi OS is distributed with hardcoded default credentials that are publicly documented and widely known. The default user account pi with password raspberry has been a standard configuration since the early releases of Raspberry Pi OS (formerly Raspbian).
The vulnerability enables network-based exploitation without requiring any prior authentication or user interaction. An attacker who can reach an exposed SSH service on a Raspberry Pi device can attempt authentication using these default credentials. Upon successful login, the attacker gains access to an account that typically has sudo privileges, effectively granting root-level access to the system.
This issue is particularly severe in IoT and edge computing environments where Raspberry Pi devices are deployed at scale, often with minimal security hardening. The vulnerability has drawn significant attention, leading Raspberry Pi Foundation to eventually remove the default user account in April 2022.
Root Cause
The root cause is the inclusion of a hardcoded default password for the pi user account in the Raspberry Pi OS image. This design decision was originally made to simplify the initial setup experience for hobbyists and educators. However, this convenience creates a significant security risk when devices are deployed in production environments or exposed to untrusted networks without password changes.
The pi user account is configured by default with sudo access, meaning successful authentication provides an attacker with the ability to execute commands as root. Combined with the network-accessible nature of SSH (enabled by default in many configurations), this creates a trivially exploitable attack surface.
Attack Vector
The attack can be executed remotely over the network. An attacker identifies Raspberry Pi devices through network scanning, looking for SSH services (typically on port 22) or by fingerprinting the device through its MAC address vendor prefix. Once a target is identified, the attacker simply attempts SSH authentication using the username pi and password raspberry.
Successful exploitation provides immediate shell access with the ability to escalate to root privileges via sudo. From there, attackers can install malware, establish persistence, exfiltrate data, or use the compromised device as a pivot point for further network attacks.
Detection Methods for CVE-2021-38759
Indicators of Compromise
- Failed SSH authentication attempts followed by successful login to the pi account from unfamiliar IP addresses
- Unexpected processes or services running under the pi user context
- New cron jobs, systemd services, or startup scripts created by the pi user
- Outbound network connections to suspicious IP addresses or command-and-control infrastructure
- Modified system files or newly created files in /home/pi, /tmp, or other writable directories
Detection Strategies
- Monitor SSH authentication logs (/var/log/auth.log) for successful logins to the pi account from unexpected source IPs
- Implement network intrusion detection rules to alert on SSH traffic to Raspberry Pi devices from external networks
- Deploy endpoint detection solutions to monitor for suspicious command execution or privilege escalation on Raspberry Pi devices
- Use SentinelOne Singularity to detect post-exploitation activities such as malware installation, persistence mechanisms, and lateral movement
Monitoring Recommendations
- Configure centralized log collection from all Raspberry Pi devices to enable correlation of authentication events
- Establish baseline behavior for the pi account and alert on deviations such as unusual login times or command patterns
- Implement network segmentation and monitor traffic crossing segment boundaries for Raspberry Pi device communications
How to Mitigate CVE-2021-38759
Immediate Actions Required
- Change the default password for the pi account immediately on all Raspberry Pi devices using passwd pi
- Audit all deployed Raspberry Pi devices to identify those still using default credentials
- Disable the pi account entirely if not needed and create a new administrative account with a strong, unique password
- Disable SSH access if not required, or restrict SSH access to trusted IP addresses using firewall rules
- Update to the latest Raspberry Pi OS release (April 2022 or later) which removes the default pi user account
Patch Information
The Raspberry Pi Foundation addressed this vulnerability by removing the default user account in Raspberry Pi OS releases from April 2022 onwards. The updated OS image requires users to create a custom user account during initial setup, eliminating the default credential risk. Users should upgrade to the latest Raspberry Pi OS version and follow the Raspberry Pi Configuration Guide for security best practices.
Workarounds
- Change the pi account password to a strong, unique value: sudo passwd pi
- Disable password authentication for SSH and use key-based authentication only
- Configure fail2ban or similar intrusion prevention tools to block brute-force attempts
- Place Raspberry Pi devices behind a firewall and restrict SSH access to VPN or trusted networks only
# Configuration example - Secure SSH configuration
# Edit /etc/ssh/sshd_config and apply these settings:
# Disable password authentication (use keys only)
PasswordAuthentication no
# Disable root login
PermitRootLogin no
# Restrict SSH to specific user
AllowUsers yourusername
# Restart SSH service to apply changes
sudo systemctl restart sshd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
