usd-2018-0020 | Patlite NBM-D88N, NHL-3FB1, NHL-3FV1N/All current firmware versions
Advisory ID: usd-2018-0020
CVE Number: CVE-2018-18473
Affected Product: Patlite NBM-D88N
Affected Version: all versions
Vulnerability Type: SSH Backdoor
Security Risk: Critical
Vendor URL: http://www.patlite.com/
Vendor Status: Update available. Bugfix not verified.
Insufficient protected backdoor in combination with default SSH credentials and allowed root login via password may leads to the system being taken over. This may harm confidentiality, integrity and availability.
1) Hidden backdoor website enables SSH daemon
A critical vulnerability has been found in the Patlite Signal Tower products. The vulnerability is an SSH backdoor that allows a user to connect to an affected Patlite device via SSH. The SSH backdoor consists of a hidden website to enable the SSH daemon and hard-coded user credentials. To connect to an affected Patlite device via the SSH backdoor, a remote attacker needs to supply the a secret password to the URL „/_secret1.html“. The website password for the devices NHL-3FB1 & NHL-3FV1N is „kankichi“. For NBM-D88N the password is „kamiyo4“. Afterwards the SSH daemon is started and listens on the default TCP port (22). This functionality is entirely undocumented and can _not_ be disabled.
2) Remote access via SSH with default credentials
The SSH daemon is accepting the default credentials of username and password: „root“.
Proof of Concept (PoC)
1) Backdoor Website
Open the SSH port on the device: Visit http://DEVICE/_secret1.htm and enter the device specific password („kankichi“ or „kamiyo4“, depending on your device)
2) Remote root Access via SSH with Default Credentials After completing 1):
Connect to the device via SSH on Port 22 with username and password: „root“. Here are no other access restrictions.
As a temporary fix, place the appliances behind a firewall and block any incoming traffic (local and Internet) to port 22. If the vendor releases a software update that removes the backdoor, it is recommended to install this update in a timely manner.
- 2018-07-02 First contact request via email@example.com.
- 2018-07-16 Second contact request via firstname.lastname@example.org.
- 2018-07-30 Third contact request via email@example.com.
- 2018-11-19 The advisory has been published
- 2019-11-18 Vendor status has been updated
These security vulnerabilities were discovered by Lars Neumann and Stefan Schmer of usd AG.