Hard-coded credentials for multiple users in firmware of D-Link DVG-3104MS and DVX-2000MS ========================================================================================= Product: D-Link DVG-3104MS, D-Link DVX-2000MS CVE: not yet assigned CWE: CWE-259, CWE-798 Risk factor: Critical Found: 2021-08-06 Researcher: Daniel Nussko CVSS Base Score =============== CVSSv3 Overall Score: 9.8 (Critical) CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description =========== In D-Link products DVG-3104MS and DVX-2000MS there are hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values. With both, username and password, an attacker is able to log in via Telnet and thus gain access to the underlying embedded Linux operating system on the device. Proof of Concept ================ 1. Connect to the device 2. Read '/etc/passwd' root:lAY[...]VDo:0:0:root:/root:/bin/sh CLI:lAY[...]VDo:0:0:root:/root:/bin/sh demo:U0d[...]StA:5000:5000:Demo User:/home/demo:/bin/bash maintain:c2S[...]Siw:6000:6000:maintainer:/var:/bin/sh nobody:*:32767:32767:Nobody:/home/demo:/bin/bash cloudraker:$1$$8Zd[...]NZ1:32770:32770:Linux User,,,:/home/cloudraker:/bin/sh pmc:$1$$1BT[...]Hd/:32771:32771:Linux User,,,:/home/pmc:/bin/sh 3. After performing a dictionary attack on the password hashes, the following passwords have beeen recovered: Username | Password ----------------------- root | [...] CLI | [...] cloudraker | [...] maintain | [...] pmc | [...] demo | [...] Impact ====== The vulnerability allows an attacker to gain unauthorized access to the device. Recommendation ============== Remove hard-coded credentials from the firmware of the affected devices. Affected Devices ================ - D-Link DVX-2000MS - D-Link DVG-3104MS (1.0.2.0.4E) - D-Link DVG-3104MS (1.0.2.0.4) - D-Link DVG-3104MS (1.0.2.0.3) Timeline ======== 2021-08-07: Vendor informed via email 2021-08-10: Vendor answered and stated that the affected products have reached their End-of-Service-Life 2021-08-17: Vendor published an announcement about the affected products - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10236 - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10237