Executive Summary

Summary
Title DSL routers contain hard-coded "XXXXairocon" credentials
Informations
Name VU#950576 First vendor Publication 2015-08-25
Vendor VU-CERT Last vendor Modification 2015-08-27
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#950576

DSL routers contain hard-coded "XXXXairocon" credentials

Original Release date: 25 Aug 2015 | Last revised: 27 Aug 2015

Overview

DSL routers by ASUS, DIGICOM, Observa Telecom, Philippine Long Distance Telephone (PLDT), and ZTE contain hard-coded "XXXXairocon" credentials

Description

CWE-798: Use of Hard-coded Credentials

DSL routers, including the ASUS DSL-N12E, DIGICOM DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and Kasda KW58293, and ZTE ZXV10 W300 contain hard-coded credentials that are useable in the telnet service on the device. In the ASUS, DIGICOM, Observa Telecom, and ZTE devices, the username is "admin," in the PLDT devices, the user name is "adminpldt," and in all affected devices, the password is "XXXXairocon" where "XXXX" is the last four characters of the device's MAC address. The MAC address may be obtainable over SNMP with community string public.

The vulnerability was previously disclosed in VU#228886 and assigned CVE-2014-0329 for ZTE ZXV10 W300, but it was not known at the time that the same vulnerability affected products published by other vendors. The Observa Telecom RTA01N was previously disclosed on the Full Disclosure mailing list.

Impact

A remote attacker may utilize these credentials to gain administrator access to the device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround:

Restrict access

Enable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AsusTek Computer Inc.Affected04 May 201525 Aug 2015
DIGICOM (HK)Affected-25 Aug 2015
Observa TelecomAffected-25 Aug 2015
Philippine Long Distance TelephoneAffected02 Jun 201527 Aug 2015
ZTE CorporationAffected03 Dec 201325 Aug 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal8.0E:POC/RL:U/RC:UR
Environmental6.0CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://seclists.org/fulldisclosure/2015/May/129
  • https://www.kb.cert.org/vuls/id/228886
  • https://www.asus.com/Networking/DSLN12E/
  • http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0
  • http://www.movistar.es/particulares/atencion-cliente/internet/adsl/equipamiento-adsl/routers/router-adsl-observa-rta01n-v2/

Credit

Thanks to Walter Mostosi for reporting the issue affecting ASUS devices, Naresh LamGarde for DIGICOM devices, and to Eskie Cirrus James Maquilang for PLDT devices. Thanks again to Cesar Neira for reporting the issue in ZTE devices, and to Jose Antonio Rodriguez Garcia for disclosing the Observa Telecom vulnerability to Full Disclosure.

This document was written by Joel Land and Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:25 Aug 2015
  • Date First Published:25 Aug 2015
  • Date Last Updated:27 Aug 2015
  • Document Revision:18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/950576

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-255 Credentials Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1

ExploitDB Exploits

id Description
2014-02-09 ZTE ZXV10 W300 Router - Hardcoded Credentials

Nessus® Vulnerability Scanner

Date Description
2014-03-05 Name : The remote device is using a known set of hard-coded credentials.
File : zte_zxv10_backdoor.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2016-06-29 01:31:23
  • Multiple Updates
2015-08-27 21:26:39
  • Multiple Updates
2015-08-27 17:37:18
  • Multiple Updates
2015-08-26 00:22:36
  • First insertion