cve-2024-31151
Vulnerability from cvelistv5
Published
2024-10-30 13:35
Modified
2024-10-30 14:03
Severity ?
EPSS score ?
Summary
A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The password string can be found at addresses 0x 803cdd0f and 0x803da3e6:
803cdd0f 41 72 69 65 ds "AriesSerenaCairryNativitaMegan"
73 53 65 72
65 6e 61 43
...
It is referenced by the function at 0x800b78b0 and simplified in the pseudocode below:
if (is_equal = strcmp(password,"AriesSerenaCairryNativitaMegan"){
ret = 3;}
Where 3 is the return value to user-level access (0 being fail and 1 being admin/backdoor).
While there's no legitimate functionality to change this password, once authenticated it is possible manually make a change by taking advantage of TALOS-2024-XXXXX using HTTP POST paramater "Pu" (new user password) in place of "Pa" (new admin password).
References
▼ | URL | Tags | |
---|---|---|---|
talos-cna@cisco.com | https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979 | Third Party Advisory |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-31151", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-10-30T13:59:56.626802Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-30T14:03:14.932Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "WBR-6012", "vendor": "LevelOne", "versions": [ { "status": "affected", "version": "R0.40e6" } ] } ], "credits": [ { "lang": "en", "value": "Discovered by Francesco Benvenuto and Patrick DeSantis of Cisco Talos." } ], "descriptions": [ { "lang": "en", "value": "A security flaw involving hard-coded credentials in LevelOne WBR-6012\u0027s web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The password string can be found at addresses 0x 803cdd0f and 0x803da3e6:\r\n\r\n 803cdd0f 41 72 69 65 ds \"AriesSerenaCairryNativitaMegan\"\r\n 73 53 65 72 \r\n 65 6e 61 43\r\n ...\r\n\r\nIt is referenced by the function at 0x800b78b0 and simplified in the pseudocode below:\r\n\r\n if (is_equal = strcmp(password,\"AriesSerenaCairryNativitaMegan\"){\r\n ret = 3;}\r\n\r\nWhere 3 is the return value to user-level access (0 being fail and 1 being admin/backdoor).\r\n\r\nWhile there\u0027s no legitimate functionality to change this password, once authenticated it is possible manually make a change by taking advantage of TALOS-2024-XXXXX using HTTP POST paramater \"Pu\" (new user password) in place of \"Pa\" (new admin password)." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-30T13:35:20.113Z", "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos" }, "references": [ { "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979", "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979" } ] } }, "cveMetadata": { "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "assignerShortName": "talos", "cveId": "CVE-2024-31151", "datePublished": "2024-10-30T13:35:20.113Z", "dateReserved": "2024-04-30T21:32:15.720Z", "dateUpdated": "2024-10-30T14:03:14.932Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-31151\",\"sourceIdentifier\":\"talos-cna@cisco.com\",\"published\":\"2024-10-30T14:15:05.507\",\"lastModified\":\"2024-11-13T18:19:26.453\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security flaw involving hard-coded credentials in LevelOne WBR-6012\u0027s web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The password string can be found at addresses 0x 803cdd0f and 0x803da3e6:\\r\\n\\r\\n 803cdd0f 41 72 69 65 ds \\\"AriesSerenaCairryNativitaMegan\\\"\\r\\n 73 53 65 72 \\r\\n 65 6e 61 43\\r\\n ...\\r\\n\\r\\nIt is referenced by the function at 0x800b78b0 and simplified in the pseudocode below:\\r\\n\\r\\n if (is_equal = strcmp(password,\\\"AriesSerenaCairryNativitaMegan\\\"){\\r\\n ret = 3;}\\r\\n\\r\\nWhere 3 is the return value to user-level access (0 being fail and 1 being admin/backdoor).\\r\\n\\r\\nWhile there\u0027s no legitimate functionality to change this password, once authenticated it is possible manually make a change by taking advantage of TALOS-2024-XXXXX using HTTP POST paramater \\\"Pu\\\" (new user password) in place of \\\"Pa\\\" (new admin password).\"},{\"lang\":\"es\",\"value\":\"Una falla de seguridad que involucra credenciales codificadas en los servicios web de LevelOne WBR-6012 permite a los atacantes obtener acceso no autorizado durante los primeros 30 segundos posteriores al arranque. Otras vulnerabilidades pueden forzar un reinicio, eludiendo la restricci\u00f3n de tiempo inicial para la explotaci\u00f3n. La cadena de contrase\u00f1a se puede encontrar en las direcciones 0x 803cdd0f y 0x803da3e6: 803cdd0f 41 72 69 65 ds \\\"AriesSerenaCairryNativitaMegan\\\" 73 53 65 72 65 6e 61 43 ... La funci\u00f3n hace referencia a ella en 0x800b78b0 y se simplifica en el pseudoc\u00f3digo siguiente: if (is_equal = strcmp(password,\\\"AriesSerenaCairryNativitaMegan\\\"){ ret = 3;} Donde 3 es el valor de retorno para el acceso a nivel de usuario (0 es error y 1 es administrador/puerta trasera). Si bien no hay una funcionalidad leg\u00edtima para cambiar esta contrase\u00f1a, una vez autenticado es posible realizar un cambio manualmente aprovechando TALOS-2024-XXXXX mediante HTTP POST par\u00e1metro \\\"Pu\\\" (nueva contrase\u00f1a de usuario) en lugar de \\\"Pa\\\" (nueva contrase\u00f1a de administrador).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"talos-cna@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"talos-cna@cisco.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:level1:wbr-6012_firmware:r0.40e6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FCC94B2E-4651-4E98-90A1-CB53CC2E24CC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:level1:wbr-6012:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FD255E3-0DBF-440C-AC6A-90B30DB59B34\"}]}]}],\"references\":[{\"url\":\"https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979\",\"source\":\"talos-cna@cisco.com\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.