usd-2018-0020 | Patlite NBM-D88N, NHL-3FB1, NHL-3FV1N/All current firmware versions

Advisory ID: usd-2018-0020
CVE Number: CVE-2018-18473
Affected Product: Patlite NBM-D88N
Affected Version: all versions
Vulnerability Type: SSH Backdoor
Security Risk: Critical
Vendor URL: http://www.patlite.com/
Vendor Status: Update available. Bugfix not verified.

Description

Insufficient protected backdoor in combination with default SSH credentials and allowed root login via password may leads to the system being taken over. This may harm confidentiality, integrity and availability.

1) Hidden backdoor website enables SSH daemon

A critical vulnerability has been found in the Patlite Signal Tower products. The vulnerability is an SSH backdoor that allows a user to connect to an affected Patlite device via SSH. The SSH backdoor consists of a hidden website to enable the SSH daemon and hard-coded user credentials. To connect to an affected Patlite device via the SSH backdoor, a remote attacker needs to supply the a secret password to the URL „/_secret1.html“. The website password for the devices NHL-3FB1 & NHL-3FV1N is „kankichi“. For NBM-D88N the password is „kamiyo4“. Afterwards the SSH daemon is started and listens on the default TCP port (22). This functionality is entirely undocumented and can _not_ be disabled.

2) Remote access via SSH with default credentials

The SSH daemon is accepting the default credentials of username and password: „root“.

Proof of Concept (PoC)

1) Backdoor Website

Open the SSH port on the device: Visit http://DEVICE/_secret1.htm and enter the device specific password („kankichi“ or „kamiyo4“, depending on your device)

2) Remote root Access via SSH with Default Credentials After completing 1):

Connect to the device via SSH on Port 22 with username and password: „root“. Here are no other access restrictions.