CVE-2017-18374 in P660HN-T1A
Summary
by MITRE
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has two user accounts with default passwords, including a hardcoded service account with the username true and password true. These accounts can be used to login to the web interface, exploit authenticated command injections and change router settings for malicious purposes.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/11/2023
The vulnerability identified as CVE-2017-18374 affects the ZyXEL P660HN-T1A v1 router model running TCLinux firmware version 7.3.15.0 v001 or 3.40(ULM.0)b31. This device is distributed by TrueOnline and represents a significant security weakness in consumer networking equipment. The issue stems from the inclusion of hardcoded default credentials that persist across device deployments, creating a persistent backdoor mechanism that adversaries can exploit to gain unauthorized access to network infrastructure. The vulnerability specifically impacts the web-based management interface of the router, which serves as the primary attack surface for malicious actors seeking to compromise network security.
The technical flaw manifests through the presence of two user accounts with default passwords, where one account features a hardcoded service account with username "true" and password "true". This configuration violates fundamental security principles by embedding credentials directly into the firmware rather than implementing proper authentication mechanisms. The hardcoded nature of these credentials means they cannot be changed by administrators, creating an inherent weakness that persists across device lifecycles. The vulnerability enables authenticated command injection attacks, where successful exploitation allows attackers to execute arbitrary commands with the privileges of the service account. This represents a critical weakness in the router's authentication and authorization framework, as the default credentials provide a consistent entry point regardless of network configuration or administrative security measures.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables full administrative control over the affected router. Attackers can modify router settings, potentially redirecting traffic, disabling security features, or establishing persistent access points within the network. The command injection capability amplifies the threat by allowing adversaries to execute system commands directly on the router, potentially leading to complete network compromise. This vulnerability affects not only individual devices but also represents a broader security concern for networks that rely on default configurations, as the same credentials may exist across multiple devices in an organization or household. The presence of such hardcoded credentials in production firmware violates security best practices and creates a persistent risk that can be exploited by both skilled attackers and automated malware.
Mitigation strategies for this vulnerability require immediate action to address the hardcoded credentials and strengthen authentication mechanisms. Network administrators should change default passwords on all affected devices, though in this case the service account credentials cannot be changed through normal administrative procedures. The most effective immediate solution involves replacing the affected routers with devices that do not contain hardcoded credentials, as these cannot be remediated through standard configuration changes. Organizations should implement network segmentation and monitoring to detect unauthorized access attempts, while also conducting comprehensive inventory audits to identify all affected devices within their network infrastructure. The vulnerability demonstrates the importance of proper credential management and secure firmware development practices, aligning with CWE-798 which addresses the use of hardcoded credentials and ATT&CK technique T1078 which covers legitimate credentials for persistence. Regular firmware updates and security assessments should be implemented to prevent similar vulnerabilities from emerging in future deployments, emphasizing the need for secure development lifecycle practices in embedded networking equipment.