The software contains a hard-coded password that could allow an attacker to take control of the merging unit using these hard-coded credentials on the MU320E (all firmware versions prior to v04A00.1).

CVE-2021-27452

BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).

CVE-2021-22667

IBM Spectrum Protect Plus 10.1.0 thorugh 10.1.6 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 190454.

  

**Summary**

IBM Spectrum Protect Plus contains hard-coded credentials which could allow a remote attacker to gain elevated privileges. UPDATED: 24 February 2021 - Remediation/Fixes section updated with additional vSnap requirements for upgrading to 10.1.7. UPDATED: 23 April 2021 - Added 10.1.8 fix which eliminates the need to perform the additional steps that were required when upgrading to 10.1.7.

**Vulnerability Details**

**CVEID:**   CVE-2020-4854  
**DESCRIPTION:**   IBM Spectrum Protect Plus contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190454 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Spectrum Protect Plus

10.1.0-10.1.6

**Remediation/Fixes**

*   First, uninstall the vSnap software: sudo yum remove vsnap
*   Next, delete the internal vsnap user: sudo userdel -r -f vsnap

  

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

This vulnerability was reported to IBM by Tenable

**Change History**

20 November 2020: Initial Publication  
24 February 2021 - Updated Remediation/Fixes section with additonal vSnap requirements.  
23 April 2021 - Updated Remediation/Fixes section with 10.1.8 which has removed the need to perform the additional that were required when upgrading to 10.1.7.

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"10.1.0-10.1.6","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}\]

CVE-2020-4854: Static Credential Vulnerability in IBM Spectrum Protect Plus (CVE-2020-4854)

Use of Hard-coded Credentials in temi Robox OS prior to 120, temi Android app up to 1.3.7931 allows remote attackers to listen in on any ongoing calls between temi robots and their users if they can brute-force/guess a six-digit value via unspecified vectors.

CVE-2020-16170: Call an Exorcist! My Robot’s Possessed!

IBM QRadar 7.3.0 to 7.3.3 Patch 2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-ForceID: 175845.

CVE-2020-4269: IBM QRadar information disclosure CVE-2020-4269 Vulnerability Report

An exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.

**Summary**

An exploitable use of hard-coded credentials vulnerability exists in multiple iw\_\* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.

**Tested Versions**

Moxa AWK-3131A Firmware version 1.13

**Product URLs**

http://www.moxa.com/product/AWK-3131A.htm

**CVSSv3 Score**

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-798: Use of Hard-coded Credentials

**Details**

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

A hard coded password (moxaiwroot) is used while decrypting any diagnostic scripts uploaded through the device’s troubleshooting portal. With this password it is possible to create custom diagnostic scripts to run on the device.

Disassembly for each of the four locations can be found below:

**iw\_troubleshoot**

    ...
    00402a38  8fdc0018   lw      $gp, 0x18($fp) {var_c8}
    00402a3c  3c020040   lui     $v0, 0x40
    00402a40  24444fe4   addiu   $a0, $v0, 0x4fe4  {0x404fe4, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s%s"}
    00402a44  3c020040   lui     $v0, 0x40
    00402a48  24454fd0   addiu   $a1, $v0, 0x4fd0  {0x404fd0, "/var/ts_zip_result"}
    00402a4c  3c020040   lui     $v0, 0x40
    00402a50  24464f90   addiu   $a2, $v0, 0x4f90  {0x404f90, "/var/"}
    00402a54  8fc70100   lw      $a3, 0x100($fp) {arg6}
    00402a58  8f828050   lw      $v0, -0x7fb0($gp)  {iw_system_quiet}
    00402a5c  0040c821   move    $t9, $v0
    00402a60  0320f809   jalr    $t9
    

There is a second location in iw_troubleshoot where the password is used: … 00402ee0 8fdc0020 lw $gp, 0x20($fp) {var\_e48} 00402ee4 8fc20e78 lw $v0, 0xe78($fp) {arg4} 00402ee8 8c420000 lw $v0, ($v0) 00402eec 8fc30e6c lw $v1, 0xe6c($fp) {arg\_4} 00402ef0 afa30010 sw $v1, 0x10($sp) {var\_e58} 00402ef4 8fc30e70 lw $v1, 0xe70($fp) {arg\_8} 00402ef8 afa30014 sw $v1, 0x14($sp) {var\_e54} 00402efc 27c3003c addiu $v1, $fp, 0x3c {var\_e2c} 00402f00 afa30018 sw $v1 {var\_e2c}, 0x18($sp) {var\_e50} 00402f04 3c030040 lui $v1, 0x40 00402f08 246450cc addiu $a0, $v1, 0x50cc {0x4050cc, “openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %sTS\_%d\_%s\_%s\_%s.aes”} 00402f0c 3c030040 lui $v1, 0x40 00402f10 24654fd0 addiu $a1, $v1, 0x4fd0 {0x404fd0, “/var/ts\_zip\_result”} 00402f14 3c030040 lui $v1, 0x40 00402f18 24664f90 addiu $a2, $v1, 0x4f90 {0x404f90, “/var/”} 00402f1c 00403821 move $a3, $v0 00402f20 8f828050 lw $v0, -0x7fb0($gp) {iw\_system\_quiet} 00402f24 0040c821 move $t9, $v0 00402f28 0320f809 jalr $t9 00402f2c 00000000 nop  
…

**iw\_onekey**

    ...
    00401aec  8fdc0010   lw      $gp, 0x10($fp) {var_10}
    00401af0  3c020040   lui     $v0, 0x40
    00401af4  24442954   addiu   $a0, $v0, 0x2954  {0x402954, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s"}
    00401af8  3c020040   lui     $v0, 0x40
    00401afc  24452944   addiu   $a1, $v0, 0x2944  {0x402944, "/var/rdinfo.zip"}
    00401b00  3c020040   lui     $v0, 0x40
    00401b04  2446298c   addiu   $a2, $v0, 0x298c  {0x40298c, "/var/rdinfo.aes"}
    00401b08  8f828048   lw      $v0, -0x7fb8($gp)  {iw_system_quiet}
    00401b0c  0040c821   move    $t9, $v0
    00401b10  0320f809   jalr    $t9
    00401b14  00000000   nop    
    ... 
    

**iw\_webs**

    00457dcc  27bdfed8   addiu   $sp, $sp, -0x128
    00457dd0  afbf0124   sw      $ra, 0x124($sp) {__saved_$ra}
    00457dd4  afbe0120   sw      $fp, 0x120($sp) {__saved_$fp}
    00457dd8  03a0f021   move    $fp, $sp {var_128}
    00457ddc  3c1c004d…  li      $gp, 0x4cb8f0
    00457de4  afbc0010   sw      $gp, 0x10($sp) {var_118}  {_gp}
    00457de8  afc40128   sw      $a0, 0x128($fp) {arg_0}
    00457dec  afc5012c   sw      $a1, 0x12c($fp) {arg_4}
    00457df0  afc0001c   sw      $zero, 0x1c($fp) {var_10c}  {0x0}
    00457df4  afc00018   sw      $zero, 0x18($fp) {var_110}  {0x0}
    00457df8  3c020047   lui     $v0, 0x47
    00457dfc  244416e4   addiu   $a0, $v0, 0x16e4  {0x4716e4, "openssl aes-256-cbc -d -k moxaiwroot -salt -in \"%s\" -out \"%s\""}
    00457e00  8fc50128   lw      $a1, 0x128($fp) {arg_0}
    00457e04  8fc6012c   lw      $a2, 0x12c($fp) {arg_4}
    00457e08  8f828764   lw      $v0, -0x789c($gp)  {iw_system}
    00457e0c  0040c821   move    $t9, $v0
    00457e10  0320f809   jalr    $t9
    00457e14  00000000   nop     
    ...
    

**Timeline**

2019-10-22 - Vendor Disclosure  
2020-02-24 - Public Release

Discovered by Patrick DeSantis, Carl Hurd, and Jared Rittle of Cisco Talos.

CVE-2019-5139: TALOS-2019-0928 || Cisco Talos Intelligence Group

IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses hard coded credentials which could allow a local user to obtain highly sensitive information. IBM X-Force ID: 161035.

CVE-2019-4309: IBM Security Guardium Big Data Intelligence information disclosure CVE-2019-4309 Vulnerability Report

The SSH service is enabled on the Zingbox Inspector versions 1.294 and earlier, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials.

Palo Alto Networks Security Advisories / CVE-2019-15017

Attack Vector **LOCAL**

Scope **UNCHANGED**

Attack Complexity **LOW**

Confidentiality Impact **HIGH**

Privileges Required **NONE**

Integrity Impact **HIGH**

User Interaction **NONE**

Availability Impact **HIGH**

NVD JSON

Published **2019-10-01**

Updated

Reference **PAN-SA-2019-0029**

Discovered **internally**

**Description**

The SSH service is enabled on the Zingbox Inspector, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials. (Ref: CVE-2019-15017)

The vulnerability allows for users to authenticate to the software using hardcoded credentials if access to SSH on the Zingbox Inspector is not otherwise restricted (see also PAN-SA-2019-0027).

This issue affects Zingbox Inspector, versions 1.294 and earlier.

**Product Status**

Versions

Affected

Unaffected

Zingbox Inspector 1

<= 1.294

\>= 1.295

**Severity:HIGH**

CVSSv3.1 Base Score:8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Weakness Type**

CWE-798 Use of Hard-coded Credentials

**Solution**

Zingbox Inspector, version 1.295 and later.

**Workarounds and Mitigations**

In the normal course of operation, Zingbox Inspector automatically updates its own software, and a fixed version of software has already been made available. No user action is required unless the software is unable to update itself. Customers still running affected versions of Zingbox Inspector software can mitigation this issue by updating to a patched version, or by disabling access to port 22 on the Zingbox Inspector by using a firewall.

**Acknowledgments**

Note: This security issue was found during an internal security audit performed during the Palo Alto Networks acquisition of Zingbox. The issues discovered during this process have been addressed in software updates as described in the published Zingbox security advisories.

CVE-2019-15017: CVE-2019-15017 SSH Service Exposed in Zingbox Inspector

In the Zingbox Inspector, versions 1.294 and earlier, hardcoded credentials for root and inspector user accounts are present in the system software, which can result in unauthorized users gaining access to the system.

Palo Alto Networks Security Advisories / CVE-2019-15015

Attack Vector **LOCAL**

Scope **UNCHANGED**

Attack Complexity **LOW**

Confidentiality Impact **HIGH**

Privileges Required **NONE**

Integrity Impact **HIGH**

User Interaction **NONE**

Availability Impact **HIGH**

NVD JSON

Published **2019-10-01**

Updated

Reference **PAN-SA-2019-0027**

Discovered **internally**

**Description**

Hardcoded credentials for root and inspector user accounts are present in the system software. (Ref: CVE-2019-15015)

The vulnerability allows for users to authenticate to the software using hardcoded credentials if access to SSH on the Zingbox Inspector is not otherwise restricted (see also PAN-SA-2019-0029).

This issue affects Zingbox Inspector, versions 1.294 and earlier.

**Product Status**

Versions

Affected

Unaffected

Zingbox Inspector 1

<= 1.294

\>= 1.295

**Severity:HIGH**

CVSSv3.1 Base Score:8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Weakness Type**

CWE-798 Use of Hard-coded Credentials

**Solution**

Zingbox Inspector, version 1.295 and later.

**Workarounds and Mitigations**

In the normal course of operation, Zingbox Inspector automatically updates its own software, and a fixed version of software has already been made available. No user action is required unless the software is unable to update itself. Customers still running affected versions of Zingbox Inspector software can mitigation this issue by updating to a patched version, or by manually running the command "passwd" to change the password for the inspector/root users. See product documentation for more information on how to change passwords for system users.

**Acknowledgments**

Note: This security issue was found during an internal security audit performed during the Palo Alto Networks acquisition of Zingbox. The issues discovered during this process have been addressed in software updates as described in the published Zingbox security advisories.

Tag

#hard_coded_credentials