Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)
This will be determined by the CNA that I am working with, but here is my "I'm not a security expert" interpretation of the variables on the NVD's calculator. I think that this scores somewhere between 9.4 and a 10.0. Based on the security posture of the firmware, I think that this is a 10.0, but I'm not sure if that is considered for Scope or Integrety.
It ended up being rated as a CVSS 9.8
CWE-284: Improper Access Control
BaiCells
NOVA436Q - QRTB 2.7.8 (Likely all builds before 2.9.x) NEUTRINO430 - QRTB 2.7.8 (Likely all builds before 2.9.x)
Usernames and Passwords are static in the firmware, encrypted using crypt(), and so are crackable.
Remote
True
True
True
True
Out of the box, the firmware has static usernames and passwords.
https://na.baicells.com/Service/Firmware https://img.baicells.com//Upload/20211230/FILE/BaiBS_QRTB_2.7.8.IMG.IMG https://img.baicells.com//Upload/20210909/FILE/98d2752f-6e83-49b1-9dab-d291e9023db6.pdf
Yes, though not publicly.
Luke Jenkins
(timeline goes here)
User "admin" password of [temporaraly "removed" at the request of the vendor] stored using unix crypt() DES algorithm.
Undocumented & non-configurable user "anonymous" password of [temporaraly "removed" at the request of the vendor] stored using unix crypt() DES algorithm.
Undocumented, non-configurable (but seemingly unusable for ssh) user "root" password of [temporaraly "removed" at the request of the vendor] stored using unix crypt() DES algorithm. Vendor claims this is unique per device, but this hasn't been confirmed.
- Download firmware from the vendor's website, no login needed. As a customer, I love this; but from a security point of view it is important to understand how easy it is for a bad actor to get the firmware.
- Run binwalk on the firmware image, a tool that extracts all of the files contained in the firmware. Snag the usernames and password hashes from /etc/passwd and /etc/shadow.
- Use hashcat to crack the hashes. In addition to being designed with 30+ year old CPUs in mind, the unix crypt() function "protecting" these passwords also limits them to 8 characters. Passwords go pop.
- Credentials for the anonymous user can be used to ssh into the device. I'll save you the trouble of a port scan or looking through the config files from step 2, dropbear is listening on port 27149.
This is my first published CVE, so please excuse (or pull request) any errors.
Thanks to the folks at UETN for the assistance and backing on this one.
Also thank you to the staff of Baicells NA for working with me on correcting this issue.