Headline
CVE-2022-36560: seiko-skybridge-MB-A200.md
Seiko SkyBridge MB-A200 v01.00.04 and below was discovered to contain multiple hard-coded passcodes for root. Attackers are able to access the passcodes at /etc/srapi/config/system.conf and /usr/sbin/ssol-sshd.sh.
Seiko Skybridge MB-A200 series vulnerabilities.****Product Description:
The SkyBridge MB-A200 from Seiko are LTE Wireless Router for IoT/M2M and supports a variety of communications including LTE, 4G, 3G, Wi-Fi, LAN, wired WAN, and GPS High-speed data communication.
Affected Products:
All Seiko Skybridge MB-A200 devices from version 01.00.04 and under.
Vulnerability Summary:
Vulnerability 1 - Unauthenticated OS Command Injection.
SkyBridge MB-A200 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the PING HTTP POST parameter in ping_exec.cgi page. This issue affects all SkyBridge MB-A200 version 01.00.04 and under.Vulnerability 2 - Use of Hard-coded Cleartext Password.
SkyBridge MB-A200 series contains multiple hard-coded clear text credentials for an hidden root user account in the /etc/srapi/config/system.conf and in the /usr/sbin/ssol-sshd.sh file. A malicious actor can de-compile the firmware image and have access to the web UI root password and CLI root password. This issue affects all SkyBridge MB-A200 version 01.00.04 and under.
Reproduction Steps:
- Unauthenticated OS Command Injection.
The endpoint /cgi-bin/ping_exec.cgi can be called remotely without user authentication as there is no cookie verification, Cookie: FAKE_VALUE, to check if the request is legitimate. The second problem is that the POST parameter PING can be injected to execute any Linux command. In the example below we create a crafted query that list files of the /www/cgi-bin directory.
Payload
- Use of Hard-coded Cleartext Password.
By default the Skybridge MB-A200 devices have a built-in clear text passwords for the root account that can be recovered after extracting the firmware image and then reverse engineering it. We found that the file /etc/srapi/config/system.conf has clear-text variables called WEBUI_ROOT_PASSWORD to access the web management interface as root and the file /usr/sbin/ssol-sshd.sh has a variable called CLI_ROOT_PASSWORD to access the CLI interface (SSH).
Recommendation Fixes / Remediation:
Vulnerability 1: Strengthen validation rules by checking if input contains only alphanumeric characters, no other syntax or whitespace, a whitelist of permitted values is also recommended. Please see the following link for more details: https://cwe.mitre.org/data/definitions/78.html
Vulnerability 2: Need to generate a different password for each device. During the manufacturing process, set a randomly generated password, unique for each device (e.g. print the password on a sticker for local access). Risk: Since passwords are shared among devices, an attacker able to crack the passwords once (e.g. with physical access to the device) can access all reachable devices. Please see the following link for more details: https://cwe.mitre.org/data/definitions/1188.html
Vulnerable Devices Found:
As of 3Aug2022, there were 968 SkyBridge MB-A200 series devices exposed to the internet and were affected by the vulnerabilities discovered.
Reference:
https://www.seiko-sol.co.jp/products/skybridge/lineup/mb-a200/
Security researchers:
- Thomas Knudsen
- Samy Younsi