usd-2018-0020 | Patlite NBM-D88N, NHL-3FB1, NHL-3FV1N/All current firmware versions

Advisory ID: usd-2018-0020
CVE Number: CVE-2018-18473
Affected Product: Patlite NBM-D88N
Affected Version: all versions
Vulnerability Type: SSH Backdoor
Security Risk: Critical
Vendor URL: http://www.patlite.com/
Vendor Status: Update available. Bugfix not verified.

Description

Insufficient protected backdoor in combination with default SSH credentials and allowed root login via password may leads to the system being taken over. This may harm confidentiality, integrity and availability.

1) Hidden backdoor website enables SSH daemon

A critical vulnerability has been found in the Patlite Signal Tower products. The vulnerability is an SSH backdoor that allows a user to connect to an affected Patlite device via SSH. The SSH backdoor consists of a hidden website to enable the SSH daemon and hard-coded user credentials. To connect to an affected Patlite device via the SSH backdoor, a remote attacker needs to supply the a secret password to the URL „/_secret1.html“. The website password for the devices NHL-3FB1 & NHL-3FV1N is „kankichi“. For NBM-D88N the password is „kamiyo4“. Afterwards the SSH daemon is started and listens on the default TCP port (22). This functionality is entirely undocumented and can _not_ be disabled.

2) Remote access via SSH with default credentials

The SSH daemon is accepting the default credentials of username and password: „root“.

Proof of Concept

1) Backdoor Website

Open the SSH port on the device: Visit http://DEVICE/_secret1.htm and enter the device specific password („kankichi“ or „kamiyo4“, depending on your device)

2) Remote root Access via SSH with Default Credentials After completing 1):

Connect to the device via SSH on Port 22 with username and password: „root“. Here are no other access restrictions.

Fix

As a temporary fix, place the appliances behind a firewall and block any incoming traffic (local and Internet) to port 22. If the vendor releases a software update that removes the backdoor, it is recommended to install this update in a timely manner.

Timeline

  • 2018-07-02 First contact request via technical@patlite.com.
  • 2018-07-16 Second contact request via info@patlite.eu.
  • 2018-07-30 Third contact request via info@patlite.eu.
  • 2018-11-19 The advisory has been published
  • 2019-11-18 Vendor status has been updated

Credits

These security vulnerabilities were discovered by Lars Neumann and Stefan Schmer of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.