CVE-2017-18371 in P660HN-T1A
Summary
by MITRE
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username supervisor and password zyad1234. These accounts can be used to login to the web interface, exploit authenticated command injections, and change router settings for malicious purposes.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/11/2023
The vulnerability identified as CVE-2017-18371 represents a critical security flaw in the ZyXEL P660HN-T1A v2 router firmware version 7.3.37.6 distributed by TrueOnline. This device operates on TCLinux and contains multiple user accounts with default or hardcoded credentials that pose significant risks to network security. The presence of these weak authentication mechanisms creates an entry point for malicious actors to gain unauthorized access to the router's administrative interface. The vulnerability is particularly concerning because it affects service accounts rather than standard user accounts, indicating a fundamental flaw in the device's authentication design where system-level credentials are exposed by default.
The technical implementation of this vulnerability stems from the inclusion of hardcoded credentials within the router firmware itself. The first service account uses the username "true" with password "true" while the second account utilizes "supervisor" with "zyad1234" as the password. These credentials are embedded within the system rather than being generated dynamically or stored securely, making them easily discoverable through routine security scanning or by examining the device's firmware. This approach directly violates security best practices and aligns with CWE-798, which addresses the use of hardcoded credentials in software. The flaw allows for authenticated command injection attacks, where an attacker with access to these accounts can execute arbitrary commands on the router through the web interface.
The operational impact of this vulnerability extends beyond simple unauthorized access to include full administrative control over the affected router. Once authenticated, an attacker can modify router settings, configure network parameters, redirect traffic, and potentially establish persistent backdoors within the network infrastructure. The ability to exploit authenticated command injection means that even if network segmentation exists, an attacker who gains access to one of these service accounts can escalate privileges and compromise the entire network. This vulnerability affects the confidentiality, integrity, and availability of the network infrastructure, as demonstrated by the ATT&CK framework's T1059.001 technique for command and scripting interpreter. The compromised device can serve as a pivot point for lateral movement within the network, making it particularly dangerous in enterprise environments where routers often serve as critical network gateways.
Mitigation strategies for this vulnerability require immediate action to address the hardcoded credentials issue. Network administrators should first identify all affected devices within their infrastructure and update the firmware to versions that address this vulnerability. When firmware updates are unavailable, the recommended approach involves disabling or removing the service accounts with hardcoded credentials from the router configuration. The use of network segmentation and firewall rules to restrict access to administrative interfaces can provide additional defense-in-depth measures. Security monitoring should include detection of login attempts using these specific credentials, as outlined in the MITRE ATT&CK framework's detection methodologies. Regular security audits of network infrastructure should include checks for hardcoded credentials and default accounts across all router models, particularly those from manufacturers with known security issues. Organizations should also implement comprehensive network access controls and ensure that only authorized personnel have access to administrative interfaces, reducing the attack surface for vulnerabilities like CVE-2017-18371.