Hard-coded credentials in firmware of D-Link DSR-500N ===================================================== Product: D-Link DSR-500N CVE: not yet assigned CWE: CWE-259, CWE-798 Risk factor: Critical Found: 2021-08-06 Researcher: Daniel Nussko CVSS Base Score =============== CVSSv3 Overall Score: 9.8 (Critical) CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description =========== In D-Link product DSR-500N there are hard-coded credentials for an undocumented user account in the '/etc/passwd' file. If an attacker succeeds in recovering the cleartext password of the identified hash value, he will be able to log in via SSH or Telnet and thus gain access to the underlying embedded Linux operating system on the device. Proof of Concept ================ 1. Connect to the device 2. Read '/etc/passwd' root:!:0:0:root:/root:/bin/sh F4Gt6debUqxFA3PR:p6j[...]y5U:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false Impact ====== The vulnerability allows an attacker to gain unauthorized access to the device. Recommendation ============== The hardcoded credentials have been removed from the firmware in version 2.12/2.13. Therefore, the firmware of the device should be updated to the latest version. Affected Devices ================ - D-Link DSR-500N (1.02) Timeline ======== 2021-08-07: Vendor informed via email 2021-08-10: Vendor answered and stated that the affected products have reached their End-of-Service-Life 2021-08-17: Vendor published an announcement about the affected products - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10235