CVE-2024-28875

30.10.2024, 14:15

A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be found at address 0x80100910

    80100910 40 6d 21 74        ds         "@m!t2K1"
             32 4b 31 00
             
It is referenced by the function located at 0x800b78b0 and is used as shown in the pseudocode below:

    if ((SECOND_FROM_BOOT_TIME < 300) &&
        (is_equal = strcmp(password,"@m!t2K1")) {
            return 1;}
            
Where 1 is the return value to admin-level access (0 being fail and 3 being user).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
talos	CNA	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Vendor	Product	Version
level1	wbr-6012_firmware	r0.40e6:e6

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-798 - Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1979