CVE-2018-6825 Hardcoded SSH credentials with root privileges

6. February 2018 - Thomas Roth - thomas.roth@leveldown.de

Products affected

Severity

CVS: 9.6 Critical

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

This vulnerability has been confirmed to be exploitable. The vulnerability will potentially be published after 60 days or after a patch for the vulnerability has been released.

Description

It was found that an SSH server is running on the Vobot and that a hardcoded vobot user account is available with a hardcoded (but MD5 hashed) password. Notably this user has full root privileges.

Excerpt from /etc/shadow:

vobot:$1$ShxJPoPg$jJtInqjXp.2117h5P5kr0.:17314:0:99999:7:::

Notably this user has full root permissions on the device

An attacker that gains access to this password (for example by cracking the hash) is able to log into the Vobot and has full control of the device.

Mitigation

There should be no hardcoded and non user-changeable passwords on the device.

Example/Proof of concept

It was confirmed by changing the password of the vobot user using the vulnerability described in CVE-2018-6826 that this user has full root privileges.

Disclosure timeline