Executive Summary

Summary
Title OpenELEC and RasPlex have a hard-coded SSH root password
Informations
Name VU#544527 First vendor Publication 2016-02-02
Vendor VU-CERT Last vendor Modification 2016-02-02
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#544527

OpenELEC and RasPlex have a hard-coded SSH root password

Original Release date: 02 Feb 2016 | Last revised: 02 Feb 2016

Overview

OpenELEC and derivatives utilize a hard-coded default root password, and enable SSH root access by default.

Description

CWE-259: Use of Hard-coded Password

OpenELEC has a hard-coded root password. The root partition is by default read-only, preventing a user from changing the password once installed; furthermore, SSH access is enabled by default.

RasPlex is based on OpenELEC and therefore inherits this same problem.

According to RasPlex, "The root filesystem is read only (squashfs). This prevents the ability to change the root password, but also prevents an attacker from modifying the filesystem."

Impact

A remote attacker may gain root access to the device.

Solution

The CERT/CC is currently unaware of a full solution to this issue. Affected users may consider the following mitigations:

Disable SSH password access

Disable the use of password access to SSH, and enable SSH keys instead.

RasPlex notes that "users can simply disable SSH via the dialog if they are worried about being compromised."

Build with a different password

Developers may build their own distribution of OpenELEC or RasPlex from source and modify the root password at build time. Users should be aware however that this password is still hard-coded and may leave a user vulnerable to further attack; future password changes would require another rebuild and deployment.

Restrict network access

Use a firewall or similar technology to restrict access to trusted hosts, networks, and services.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
OpenELECAffected-29 Jan 2016
RasPlexAffected-29 Jan 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal8.5E:POC/RL:U/RC:UR
Environmental2.1CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://wiki.openelec.tv/index.php?title=OpenELEC_FAQ#SSH_Password_change
  • http://wiki.openelec.tv/index.php?title=Config_connect_ssh_wo_password
  • http://wiki.openelec.tv/index.php?title=Compile_from_source
  • https://github.com/RasPlex/RasPlex/issues/453

Credit

Thanks to Aidan Samuel for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:02 Feb 2016
  • Date First Published:02 Feb 2016
  • Date Last Updated:02 Feb 2016
  • Document Revision:24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/544527

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-255 Credentials Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1

Nessus® Vulnerability Scanner

Date Description
2013-01-28 Name : The remote system can be accessed with a default password.
File : account_root_openelec.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2016-02-25 17:26:03
  • Multiple Updates
2016-02-08 21:28:49
  • Multiple Updates
2016-02-05 13:27:44
  • Multiple Updates
2016-02-02 21:29:16
  • Multiple Updates
2016-02-02 21:23:59
  • First insertion