{"id":16563,"date":"2021-07-08T09:31:51","date_gmt":"2021-07-08T07:31:51","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0020\/"},"modified":"2021-07-19T14:08:37","modified_gmt":"2021-07-19T12:08:37","slug":"usd-2018-0020","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0020\/","title":{"rendered":"usd-2018-0020"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2018-0020 | Patlite NBM-D88N, NHL-3FB1, NHL-3FV1N\/All current firmware versions<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2018-0020<\/span>
CVE Number<\/strong>: CVE-2018-18473<\/span>
Affected Product<\/strong>: Patlite NBM-D88N<\/span>
Affected Version<\/strong>: all versions<\/span>
Vulnerability Type<\/strong>: SSH Backdoor<\/span>
Security Risk<\/strong>: Critical<\/span>
Vendor URL<\/strong>: <\/span>http:\/\/www.patlite.com\/<\/a>
Vendor Status<\/strong>: Update available. Bugfix not verified.<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Insufficient protected backdoor in combination with default SSH credentials and allowed root login via password may leads to the system being taken over. This may harm confidentiality, integrity and availability.<\/p>\n

1) Hidden backdoor website enables SSH daemon<\/p>\n

A critical vulnerability has been found in the Patlite Signal Tower products. The vulnerability is an SSH backdoor that allows a user to connect to an affected Patlite device via SSH. The SSH backdoor consists of a hidden website to enable the SSH daemon and hard-coded user credentials. To connect to an affected Patlite device via the SSH backdoor, a remote attacker needs to supply the a secret password to the URL \u201e\/_secret1.html\u201c. The website password for the devices NHL-3FB1 & NHL-3FV1N is \u201ekankichi\u201c. For NBM-D88N the password is \u201ekamiyo4\u201c. Afterwards the SSH daemon is started and listens on the default TCP port (22). This functionality is entirely undocumented and can _not_ be disabled.<\/p>\n

2) Remote access via SSH with default credentials<\/p>\n

The SSH daemon is accepting the default credentials of username and password: \u201eroot\u201c.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

1) Backdoor Website<\/p>\n

Open the SSH port on the device: Visit http:\/\/DEVICE\/_secret1.htm and enter the device specific password (\u201ekankichi\u201c or \u201ekamiyo4\u201c, depending on your device)<\/p>\n

2) Remote root Access via SSH with Default Credentials After completing 1):<\/p>\n

Connect to the device via SSH on Port 22 with username and password: \u201eroot\u201c. Here are no other access restrictions.<\/p>\n

 <\/p>\n

\n
\n

Fix<\/h3>\n

As a temporary fix, place the appliances behind a firewall and block any incoming traffic (local and Internet) to port 22. If the vendor releases a software update that removes the backdoor, it is recommended to install this update in a timely manner.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2018-07-02 First contact request via technical@patlite.com.<\/li>\n
  • 2018-07-16 Second contact request via info@patlite.eu.<\/li>\n
  • 2018-07-30 Third contact request via info@patlite.eu.<\/li>\n
  • 2018-11-19 The advisory has been published<\/li>\n
  • 2019-11-18 Vendor status has been updated<\/li>\n<\/ul>\n

    Credits<\/h3>\n

    These security vulnerabilities were discovered by Lars Neumann and Stefan Schmer of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2018-0020 | Patlite NBM-D88N, NHL-3FB1, NHL-3FV1N\/All current firmware versions Advisory ID: usd-2018-0020CVE Number: CVE-2018-18473Affected Product: Patlite NBM-D88NAffected Version: all versionsVulnerability Type: SSH BackdoorSecurity Risk: CriticalVendor URL: http:\/\/www.patlite.com\/Vendor Status: Update available. Bugfix not verified. Description Insufficient protected backdoor in combination with default SSH credentials and allowed root login via password may leads to the system being […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16563","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16563"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16563\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}