-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2024-39345
70 lines (68 loc) · 2.09 KB
/
CVE-2024-39345
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
> AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the
> SSH service by default and have a hidden, undocumented, hard-coded
> support account whose password is based on the devices MAC address.
> All of the devices internet interfaces share a similar MAC address that
> only varies in their final octet. This allows network-adjacent
> attackers to derive the support user's SSH password by decrementing
> the final octet of the connected gateway address or via the BSSID. An attacker can then
> execute arbitrary OS commands with root-level privileges.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> CWE-259: Use of Hard-coded Password
>
> ------------------------------------------
>
> [Vendor of Product]
> Adtran, Inc.
>
> ------------------------------------------
>
> [Affected Product Code Base]
> AdTran 834-5 Residential Gateway - FCC ID: HDC17600021F1 , SmartOS 11.1.1.1
> This issue is fixed as of SmartOS Version 12.1.3.1
> ------------------------------------------
>
> [Affected Component]
> Router SSH service
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> The password for this hard-coded account is derived from the last three octets of the device's MAC address. This predictability allows network-adjacent attackers to decrement the final octet of the gateway's MAC address to determine the SSH password. Additionally, remote attackers can leverage OSINT and wardriving databases to identify the router's SSID and deduce the MAC address.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Edward Warren