EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 Hard-Coded Credentails

EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 suffers from having hard-coded root SSH credentials.


MD5 | 74d336172195e25186c5df5d4e7c0604

EE 4GEE HH70 Home Router Hardcoded Root SSH Credentials Advisory

Hardware Version/Model: 4GEE Router HH70VB-2BE8GB3 (HH70VB)
Vulnerable Software Version: HH70_E1_02.00_19
Patched Software Version: HH70_E1_02.00_21
Vulnerability CVE(s): CVE-2018-10532
Product URL:
https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-router/details

Vulnerability Description:
An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 devices.

Hardcoded root SSH credentials were discovered to be stored within the
"core_app" binary utilised by the EE router for networking services. An
attacker with knowledge of the default password (oelinux123) could login
to the router via SSH as the root user, which could allow for the loss
of confidentiality, integrity, and availability of the system. This
would also allow for the bypass of the "AP Isolation" mode that is
supported by the router, as well as the settings for multiple Wireless
networks, which a user may use for guest clients.

Attack Vectors:
An attacker must be able to communicate with the SSH server, however the
router supports multiple networks and "AP Isolation" mode which could be
bypassed if the malicious user compromises the router with
the default credentials/hard coded SSH credentials.

Attack Type: Remote:
Impact: Administrative SSH Access
Affected Component:
root@OpenWrt:/usr/bin# strings core_app | grep root
sshpass -p oelinux123 scp [email protected]:%s %s
sshpass -p oelinux123 scp %s [email protected]:%s


Reference(s):
https://blog.jameshemmings.co.uk/2018/04/29/4gee-hg70-router-vulnerability-disclosure
https://www.theregister.co.uk/2018/10/26/ee_4gee_hh70_ssh_backdoor
https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-router/details

Disclosure Timeline:
29th April, 2018 at 12:52 GMT. Email sent with technical vulnerability
information and PoC.
10th May, 2018 at 23:23 GMT. Followup email sent, no acknowledgement
received.
11th May, 2018 at 06:47 GMT. Acknowledgement received from EE, remedial
work being reviewed.
29th June, 2018 at 18:56 GMT. Followup email sent, noticed EE security
patch email.. confirming if this fixes vulnerability.
29th June, 2018 at 19:01 GMT. Email from EE, still evaluating fixes of
the vulnerability.
18th July, 2018 at 19:32 GMT. Email sent to EE, asking for update as 90
day window closing shortly.
18th July, 2018 at 22:12 GMT. Reply from EE, asking for IMEI and current
S/W version.
19th July, 2018 at 15:14 GMT. Reply from EE, asking for exact steps to
reproduce issue.
20th July, 2018 at 07:56 GMT. Email sent to EE with requested information.
4th October, 2018 at 22:58 GMT. Email sent to EE asking for update.
5th October, 2018 at 08:29 GMT. Reply from EE stating its patched.
5th October, 2018 at 19:51 GMT. Advised EE that its not patched on this
version.
6th October, 2018 at 06:54 GMT. Reply from EE, stating they will check
with their development team and will come back to me on Monday.
6th October, 2018 at 08:30 GMT. Email to EE acknowledging last email and
that is OK.
6th October, 2018 at 08:40 GMT. Reply from EE asking for clarity on the
vulnerability and the recommended fix, as well as the overall risk rating.
6th October, 2018 at 09:11 GMT. Email sent to EE with the requested
information.
6th October, 2018 at 09:17 GMT. Reply sent from EE, mentioning the
comments/advice is understood and they will be in touch on Monday.
8th October, 2018 at 21:50 GMT. Email sent to EE asking for fix ETA.
8th October, 2018 at 22:03 GMT. Reply from EE, advising they are still
working on the issue and the options. Update to be provided tomorrow.
9th October, 2018 at 20:05 GMT. Reply from EE, confirming SSH
functionality has been disabled in the fix and there is further
verification required before an update is released.
9th October, 2018 at 20:13 GMT. Email sent to EE asking for approximate
ETA and planned fix date.
9th October, 2018 at 20:16 GMT. Reply from EE, stating its being pushed
through as a matter of urgency, that the fix has been verified and the
binary is being compiled at the moment, further verification still required.
12th October, 2018 at 11:51 GMT. Email sent to EE, asking for
approximate ETA.
12th October, 2018 at 12:43 GMT. Reply from EE, stating validation
completed 20 minutes ago. Consumer package to be deployed rather than
the test variant, will be released this week.
13th October, 2018 at 19:39 GMT. Email sent to EE, asking for
notification when consumer version released. Stated I will hold public
disclosure at present.
17th October, 2018 at 15:40 GMT. Reply from EE, stating validation has
been completed, however theirs another minor change needed. Phone call
to be conducted tomorrow to finalise build and if two changes are
required or not. Feedback to be provided tomorrow.
18th October, 2018 at 19:02 GMT. Email sent to EE, asking for updates.
18th October, 2018 at 19:39 GMT. Reply from EE, testing has been
completed but another update is going to be included and the bundle will
be released early next week.
18th October, 2018 at 20:26 GMT. Email sent to EE, mentioning this was
said last week and that I will be going public with vulnerability
disclosure next Wednesday, as this is well over 90 day agreed disclosure
period.
21st October, 2018 at 20:17 GMT. Reply from EE, stating they addressed
the SSH issue by disabling it but another patch needs to be merged to
manage customer experience. Original validation of vulnerability took
longer than anticipated.
23rd October, 2018 at 18:05 GMT. Email sent to EE, asking for further
updates.
23rd October, 2018 at 18:11 GMT. Reply from EE, stating release will be
deployed Thursday and asking for IMEI.
24th October, 2018 at 20:01 GMT. Email sent to EE, with IMEI.
24th October, 2018. Full Disclosure via Blog.
26th October, 2018 at 06:33 GMT. Reply from EE, confirming update should
be available.
26th October, 2018 at 07:05 GMT. Email sent to EE, advising that update
is not showing.
26th October, 2018 at 09:32 GMT. Reply from EE, advising update is now
fully available.
26th October, 2018 at 17:54 GMT. Email sent to EE, adivsing update has
resolved the issue.

Disclaimer
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.




Related Posts