Lucene search

K
packetstormJames HemmingsPACKETSTORM:150100
HistoryOct 31, 2018 - 12:00 a.m.

EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 Hard-Coded Credentails

2018-10-3100:00:00
James Hemmings
packetstormsecurity.com
187

0.001 Low

EPSS

Percentile

38.1%

`EE 4GEE HH70 Home Router Hardcoded Root SSH Credentials Advisory  
  
Hardware Version/Model: 4GEE Router HH70VB-2BE8GB3 (HH70VB)  
Vulnerable Software Version: HH70_E1_02.00_19  
Patched Software Version: HH70_E1_02.00_21  
Vulnerability CVE(s): CVE-2018-10532  
Product URL:   
https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-router/details  
  
Vulnerability Description:  
An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 devices.  
  
Hardcoded root SSH credentials were discovered to be stored within the  
"core_app" binary utilised by the EE router for networking services. An   
attacker with knowledge of the default password (oelinux123) could login   
to the router via SSH as the root user, which could allow for the loss   
of confidentiality, integrity, and availability of the system. This   
would also allow for the bypass of the "AP Isolation" mode that is   
supported by the router, as well as the settings for multiple Wireless   
networks, which a user may use for guest clients.  
  
Attack Vectors:  
An attacker must be able to communicate with the SSH server, however the   
router supports multiple networks and "AP Isolation" mode which could be   
bypassed if the malicious user compromises the router with  
the default credentials/hard coded SSH credentials.  
  
Attack Type: Remote:  
Impact: Administrative SSH Access  
Affected Component:  
root@OpenWrt:/usr/bin# strings core_app | grep root  
sshpass -p oelinux123 scp [email protected]:%s %s  
sshpass -p oelinux123 scp %s [email protected]:%s  
  
  
Reference(s):  
https://blog.jameshemmings.co.uk/2018/04/29/4gee-hg70-router-vulnerability-disclosure  
https://www.theregister.co.uk/2018/10/26/ee_4gee_hh70_ssh_backdoor  
https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-router/details  
  
Disclosure Timeline:  
29th April, 2018 at 12:52 GMT. Email sent with technical vulnerability   
information and PoC.  
10th May, 2018 at 23:23 GMT. Followup email sent, no acknowledgement   
received.  
11th May, 2018 at 06:47 GMT. Acknowledgement received from EE, remedial   
work being reviewed.  
29th June, 2018 at 18:56 GMT. Followup email sent, noticed EE security   
patch email.. confirming if this fixes vulnerability.  
29th June, 2018 at 19:01 GMT. Email from EE, still evaluating fixes of   
the vulnerability.  
18th July, 2018 at 19:32 GMT. Email sent to EE, asking for update as 90   
day window closing shortly.  
18th July, 2018 at 22:12 GMT. Reply from EE, asking for IMEI and current   
S/W version.  
19th July, 2018 at 15:14 GMT. Reply from EE, asking for exact steps to   
reproduce issue.  
20th July, 2018 at 07:56 GMT. Email sent to EE with requested information.  
4th October, 2018 at 22:58 GMT. Email sent to EE asking for update.  
5th October, 2018 at 08:29 GMT. Reply from EE stating its patched.  
5th October, 2018 at 19:51 GMT. Advised EE that its not patched on this   
version.  
6th October, 2018 at 06:54 GMT. Reply from EE, stating they will check   
with their development team and will come back to me on Monday.  
6th October, 2018 at 08:30 GMT. Email to EE acknowledging last email and   
that is OK.  
6th October, 2018 at 08:40 GMT. Reply from EE asking for clarity on the   
vulnerability and the recommended fix, as well as the overall risk rating.  
6th October, 2018 at 09:11 GMT. Email sent to EE with the requested   
information.  
6th October, 2018 at 09:17 GMT. Reply sent from EE, mentioning the   
comments/advice is understood and they will be in touch on Monday.  
8th October, 2018 at 21:50 GMT. Email sent to EE asking for fix ETA.  
8th October, 2018 at 22:03 GMT. Reply from EE, advising they are still   
working on the issue and the options. Update to be provided tomorrow.  
9th October, 2018 at 20:05 GMT. Reply from EE, confirming SSH   
functionality has been disabled in the fix and there is further   
verification required before an update is released.  
9th October, 2018 at 20:13 GMT. Email sent to EE asking for approximate   
ETA and planned fix date.  
9th October, 2018 at 20:16 GMT. Reply from EE, stating its being pushed   
through as a matter of urgency, that the fix has been verified and the   
binary is being compiled at the moment, further verification still required.  
12th October, 2018 at 11:51 GMT. Email sent to EE, asking for   
approximate ETA.  
12th October, 2018 at 12:43 GMT. Reply from EE, stating validation   
completed 20 minutes ago. Consumer package to be deployed rather than   
the test variant, will be released this week.  
13th October, 2018 at 19:39 GMT. Email sent to EE, asking for   
notification when consumer version released. Stated I will hold public   
disclosure at present.  
17th October, 2018 at 15:40 GMT. Reply from EE, stating validation has   
been completed, however theirs another minor change needed. Phone call   
to be conducted tomorrow to finalise build and if two changes are   
required or not. Feedback to be provided tomorrow.  
18th October, 2018 at 19:02 GMT. Email sent to EE, asking for updates.  
18th October, 2018 at 19:39 GMT. Reply from EE, testing has been   
completed but another update is going to be included and the bundle will   
be released early next week.  
18th October, 2018 at 20:26 GMT. Email sent to EE, mentioning this was   
said last week and that I will be going public with vulnerability   
disclosure next Wednesday, as this is well over 90 day agreed disclosure   
period.  
21st October, 2018 at 20:17 GMT. Reply from EE, stating they addressed   
the SSH issue by disabling it but another patch needs to be merged to   
manage customer experience. Original validation of vulnerability took   
longer than anticipated.  
23rd October, 2018 at 18:05 GMT. Email sent to EE, asking for further   
updates.  
23rd October, 2018 at 18:11 GMT. Reply from EE, stating release will be   
deployed Thursday and asking for IMEI.  
24th October, 2018 at 20:01 GMT. Email sent to EE, with IMEI.  
24th October, 2018. Full Disclosure via Blog.  
26th October, 2018 at 06:33 GMT. Reply from EE, confirming update should   
be available.  
26th October, 2018 at 07:05 GMT. Email sent to EE, advising that update   
is not showing.  
26th October, 2018 at 09:32 GMT. Reply from EE, advising update is now   
fully available.  
26th October, 2018 at 17:54 GMT. Email sent to EE, adivsing update has   
resolved the issue.  
  
Disclaimer  
The information in the advisory is believed to be accurate at the time   
of publishing based on currently available information. Use of the   
information constitutes acceptance for use in an AS IS condition. There   
are no warranties with regard to this information. Neither the author   
nor the publisher accepts any liability for any direct, indirect, or   
consequential loss or damage arising from use of, or reliance on, this   
information.  
  
  
  
`

0.001 Low

EPSS

Percentile

38.1%

Related for PACKETSTORM:150100