CVE-2018-5399 - OpenCVE

The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running. The Dropbear server is configured with a hard-coded user name and password combination of root / amroot. The server is configured to use password only authentication not cryptographic keys, however the firmware image contains an RSA host-key for the server. An attacker can exploit this vulnerability to gain root access to the Angstrom Linux operating system and modify any binaries or configuration files in the firmware. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Auto-maskin	Rp-210e Dcu-210e Firmware Dcu-210e Rp-210e Firmware

Configuration 1 [-]

AND

cpe:2.3:o:auto-maskin:dcu-210e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:auto-maskin:dcu-210e:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:auto-maskin:rp-210e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:auto-maskin:rp-210e:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.kb.cert.org/vuls/id/176301	Third Party Advisory US Government Resource
https://www.us-cert.gov/ics/advisories/icsa-20-051-04

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2018-10-01T00:00:00

Updated: 2020-02-24T14:50:38

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5399

JSON object: View

NVD Information

Status : Modified

Published: 2018-10-08T15:29:02.633

Modified: 2019-10-09T23:41:17.627

Link: CVE-2018-5399

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"containers": {"cna": {"affected": [{"platforms": ["ARMv7"], "product": "DCU-210E ", "vendor": "Auto-Maskin", "versions": [{"lessThan": "3.7", "status": "affected", "version": "3.7", "versionType": "custom"}]}, {"platforms": ["ARMv7"], "product": "RP-210E", "vendor": "Auto-Maskin", "versions": [{"lessThan": "3.7", "status": "affected", "version": "3.7", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Reporters: Brian Satira, Brian Olson, Organization: Project Gunsway"}], "datePublic": "2018-10-01T00:00:00", "descriptions": [{"lang": "en", "value": "The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running. The Dropbear server is configured with a hard-coded user name and password combination of root / amroot. The server is configured to use password only authentication not cryptographic keys, however the firmware image contains an RSA host-key for the server. An attacker can exploit this vulnerability to gain root access to the Angstrom Linux operating system and modify any binaries or configuration files in the firmware. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-24T14:50:38", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#176301", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/176301"}, {"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04"}], "solutions": [{"lang": "en", "value": "End-users should log-in via the SSH server and remove it as a service, or change the hard-coded password to SP 800-63B standards."}], "source": {"discovery": "EXTERNAL"}, "title": "The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running and is configured with a hard-coded credentials", "workarounds": [{"lang": "en", "value": "End-users should log-in via the SSH server and remove it as a service, or change the hard-coded password to SP 800-63B standards.\n"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2018-10-01T04:00:00.000Z", "ID": "CVE-2018-5399", "STATE": "PUBLIC", "TITLE": "The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running and is configured with a hard-coded credentials"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DCU-210E ", "version": {"version_data": [{"affected": "<", "platform": "ARMv7", "version_affected": "<", "version_name": "3.7", "version_value": "3.7"}]}}, {"product_name": "RP-210E", "version": {"version_data": [{"affected": "<", "platform": "ARMv7", "version_affected": "<", "version_name": "3.7", "version_value": "3.7"}]}}]}, "vendor_name": "Auto-Maskin"}]}}, "credit": [{"lang": "eng", "value": "Reporters: Brian Satira, Brian Olson, Organization: Project Gunsway"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running. The Dropbear server is configured with a hard-coded user name and password combination of root / amroot. The server is configured to use password only authentication not cryptographic keys, however the firmware image contains an RSA host-key for the server. An attacker can exploit this vulnerability to gain root access to the Angstrom Linux operating system and modify any binaries or configuration files in the firmware. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798: Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "VU#176301", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/176301"}, {"name": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04"}]}, "solution": [{"lang": "en", "value": "End-users should log-in via the SSH server and remove it as a service, or change the hard-coded password to SP 800-63B standards."}], "source": {"discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "End-users should log-in via the SSH server and remove it as a service, or change the hard-coded password to SP 800-63B standards.\n"}]}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2018-5399", "datePublished": "2018-10-01T00:00:00", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2020-02-24T14:50:38", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:auto-maskin:dcu-210e_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AABA2941-1749-4916-9BF3-D600192C2871", "versionEndExcluding": "3.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:auto-maskin:dcu-210e:-:*:*:*:*:*:*:*", "matchCriteriaId": "B7569773-60A5-4E8A-B85D-33AF31052852", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:auto-maskin:rp-210e_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACBB628A-FCA7-4E7B-AA13-32C2CFA4F5A9", "versionEndExcluding": "3.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:auto-maskin:rp-210e:-:*:*:*:*:*:*:*", "matchCriteriaId": "B90DF062-A9CB-48BD-ACC7-067271EB160B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running. The Dropbear server is configured with a hard-coded user name and password combination of root / amroot. The server is configured to use password only authentication not cryptographic keys, however the firmware image contains an RSA host-key for the server. An attacker can exploit this vulnerability to gain root access to the Angstrom Linux operating system and modify any binaries or configuration files in the firmware. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7."}, {"lang": "es", "value": "El firmware de Auto-Maskin DCU 210E contiene un servidor Dropbear SSH no documentado, v2015.55, configurado para escuchar en el puerto 22 mientras se est\u00e1 ejecutando DCU. El servidor DCU est\u00e1 configurado con una combinaci\u00f3n embebida de nombre de usuario y contrase\u00f1a de root/amroot. El servidor est\u00e1 configurado para emplear solo contrase\u00f1as en lugar de claves criptogr\u00e1ficas; sin embargo, la imagen del firmware contiene una clave de host RSA para el servidor. Un atacante puede explotar esta vulnerabilidad para obtener acceso root al sistema operativo Angstrom Linux y modificar cualquier binario o archivo de configuraci\u00f3n en el firmware. Las versiones afectadas son Auto-Maskin DCU-210E RP-210E: versiones anteriores a la 3.7 en ARMv7."}], "id": "CVE-2018-5399", "lastModified": "2019-10-09T23:41:17.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "cret@cert.org", "type": "Secondary"}]}, "published": "2018-10-08T15:29:02.633", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/176301"}, {"source": "cret@cert.org", "url": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "cret@cert.org", "type": "Secondary"}]}