Protecting SmartPLC Devices from Critical Hardcoded Credential Vulnerability CVE 2024 28747

Overview

The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-28747, a vulnerability in SmartPLC devices, assessed its impact and developed mitigation measures for this vulnerability.

This vulnerability of hardcoded credentials affects SmartPLC devices, specifically the AC14xx and AC4xxS models, with firmware versions up to and including 4.3.17. It allows unauthenticated remote attackers to gain high-privilege access using hard-coded credentials of username "target" and password "target" embedded in the firmware. An attacker can exploit this flaw to access the device configuration and execute various commands, significantly compromising the security of the affected systems. The vulnerability has a CVSS base score of 9.8, indicating a critical level of severity due to its easy exploitability and severe impact on confidentiality, integrityand availability. Associated with CWE-798, this vulnerability highlights the dangers of using hard-coded credentials in firmware. The exploit prediction scoring system (EPSS) gives it a 0.09% probability of exploitation within the next 30 days, placing it in the 39th percentile of vulnerabilities most likely to be exploited. We anticipate there might be an increase in the EPSS score as a result of this publication in the next 30 days. It is recommended to update to firmware version 6.1.8 or later. For more details and mitigation steps, refer to the advisory on CERT VDEand the National Vulnerability Database (NVD).

Technical Overview

In the affected versions above, the presence of hard-coded credentials within the firmware allows an attacker to log in to the device using the telnet service. The telnet server configuration, as defined in the xinetd.d configuration, does not use encryption for username/password pairs, which magnifies the risk. Once the attacker gains access, they can leverage these credentials to obtain high-level privileges on the SmartPLC devices.

PASSWD Information

The passwdfile in the etc directory provides critical information on the user accounts (see Figure 1). The 'target' user account has been identified with a hashed password that has been successfully cracked (see Figure 2), revealing the credentials for remote access.

[Link]

Figure 1: PASSWD Entry Hash

In Figure 1, the entry in the passwd filecan be broken down into individualcomponents:

• Username: The user's login name

• Password: Encrypted or hashed password

• User ID (UID): Numerical ID of the user

• Group ID (GID): Numerical ID of the user's primary group

• User Info: A comment field

• Home Directory: Path to the user's home directory

• Shell: Path to the user's login shell
  

Figure 2: John the Ripper cracked password

User Groups

Each user belongs to specific groups, as defined in the /etc/groupfile (see Figure 3), which dictates their permissions and access levels within the system.

[Link]

Figure 3: User group

Telnet Service Configuration

The telnet service is configured to run as root (see Figure 4), allowing high-level access upon successful login. The configuration does not disable the service and logs on failure include USERID for tracking.

Figure 4: Telnet service configuration

Explanation of Parameters

• flags = REUSE: This flag indicates that the server should reuse the socket for multiple connections. It allows the same socket to be used for new incoming connections without closing and reopening it.

• socket_type = stream: This specifies the type of socket used. "stream" indicates a stream socket, typically used for TCP connections, which provides reliable, ordered, and error-checked delivery of a stream of bytes.

• wait = no: This setting specifies whether the server should wait for the process handling the connection to complete before accepting new connections. "no" means that the server can handle multiple connections simultaneously.

• user = root: This specifies the user account under which the telnet daemon (telnetd) will run. "root" means that the telnetd will run with root privileges, which can pose a security risk if not properly secured.

• server = /usr/sbin/telnetd: This specifies the path to the telnet server daemon that will handle the incoming telnet connections.

• server_args = -i: This provides additional arguments to the server daemon. The "-i" option typically indicates that the server should operate in "inetd" mode, meaning it is controlled by the inetd super-server.

• log_on_failure += USERID: This directive specifies logging options. "USERID" indicates that the server should log the user ID of the failed connection attempts.

• disable = no: This indicates whether the service is enabled or disabled. "no" means that the telnet service is enabled and can accept connections.
  

Exploitation

An attacker can remotely gain unauthorized access with high privileges by following these steps:

• Identify the Target Device: The attacker first identifies an ifm Smart PLC device running the vulnerable firmware. This can be achieved by scanning networks for devices using the specific model signatures or known IP ranges.

• Initiate a Telnet Session: Using a telnet client, the attacker connects to the device's telnet service. The telnet configuration on the device is set to allow root access without encryption, making it susceptible to interception and exploitation.

• Utilize Hard-Coded Credentials: The attacker inputs the hard-coded credentials (target:target) during the login prompt. These credentials are known to be hard-coded within the firmware and have been successfully cracked using tools like John the Ripper.

• Gain Root Access: Upon successful login, the attacker gains root privileges on the device due to the telnet service running under the root user context. This allows full control over the device, enabling the attacker to modify configurations, access sensitive data, or disrupt operations.

• Leverage Access for Further Exploitation: With root access, the attacker can potentially exploit other vulnerabilities within the network, establish persistent backdoors, or pivot to other systems connected to the same network.
  

This vulnerability poses a significant risk as it allows for a complete takeover of industrial control systems, potentially leading to severe operational disruptions.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 20183 ifm SmartSPS Default Account Login

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

• Remove or replace hard-coded credentials.

• Utilizing up-to-date IPS signatures to filter network traffic.

• Ensure that users do not have unnecessary high privileges.

• Update to Firmware Version 6.1.8 or later.
  

Relevant Links

VDE-2024-012 ifm: Vulnerabilities in ifm AC14 firmware

National Vulnerability Database (NVD)

Common Vulnerability Scoring System Calculation

CWE-798: Use of Hard-coded Credentials

CVE Numbering Authority (CNA) Partner Information

ifm electronic GmbH