The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-28747, a vulnerability in SmartPLC devices, assessed its impact and developed mitigation measures for this vulnerability.
This vulnerability of hardcoded credentials affects SmartPLC devices, specifically the AC14xx and AC4xxS models, with firmware versions up to and including 4.3.17. It allows unauthenticated remote attackers to gain high-privilege access using hard-coded credentials of username “target” and password “target” embedded in the firmware. An attacker can exploit this flaw to access the device configuration and execute various commands, significantly compromising the security of the affected systems. The vulnerability has a CVSS base score of 9.8, indicating a critical level of severity due to its easy exploitability and severe impact on confidentiality, integrity and availability. Associated with CWE-798, this vulnerability highlights the dangers of using hard-coded credentials in firmware. The exploit prediction scoring system (EPSS) gives it a 0.09% probability of exploitation within the next 30 days, placing it in the 39th percentile of vulnerabilities most likely to be exploited. We anticipate there might be an increase in the EPSS score as a result of this publication in the next 30 days. It is recommended to update to firmware version 6.1.8 or later. For more details and mitigation steps, refer to the advisory on CERT VDE and the National Vulnerability Database (NVD).
In the affected versions above, the presence of hard-coded credentials within the firmware allows an attacker to log in to the device using the telnet service. The telnet server configuration, as defined in the xinetd.d configuration, does not use encryption for username/password pairs, which magnifies the risk. Once the attacker gains access, they can leverage these credentials to obtain high-level privileges on the SmartPLC devices.
PASSWD Information
The passwd file in the etc directory provides critical information on the user accounts (see Figure 1). The 'target' user account has been identified with a hashed password that has been successfully cracked (see Figure 2), revealing the credentials for remote access.
Figure 1: PASSWD Entry Hash
In Figure 1, the entry in the passwd file can be broken down into individual components:
Figure 2: John the Ripper cracked password
User Groups
Each user belongs to specific groups, as defined in the /etc/group file (see Figure 3), which dictates their permissions and access levels within the system.
Figure 3: User group
Telnet Service Configuration
The telnet service is configured to run as root (see Figure 4), allowing high-level access upon successful login. The configuration does not disable the service and logs on failure include USERID for tracking.
Figure 4: Telnet service configuration
An attacker can remotely gain unauthorized access with high privileges by following these steps:
This vulnerability poses a significant risk as it allows for a complete takeover of industrial control systems, potentially leading to severe operational disruptions.
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
The risks posed by this vulnerability can be mitigated or eliminated by:
VDE-2024-012 ifm: Vulnerabilities in ifm AC14 firmware
National Vulnerability Database (NVD)
Common Vulnerability Scoring System Calculation
CWE-798: Use of Hard-coded Credentials
Share This Article
An Article By
An Article By
Security News
Security News