CVE-2018-15555 in Actiontec WEB6000Q
Summary
by MITRE
On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user "root" and password "admin" by using the enabled onboard UART headers.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/09/2023
This vulnerability exists in Telus Actiontec WEB6000Q v1.1.02.22 devices where default credentials are improperly configured, allowing unauthorized administrative access through the UART interface. The device exposes onboard UART headers that enable low-level physical access, which when combined with hardcoded credentials creates a critical security weakness. The vulnerability stems from the device manufacturer's failure to properly secure the UART interface or implement proper authentication mechanisms for privileged access. This represents a classic case of insecure default configuration where root credentials are hardcoded and accessible via physical interface. The presence of exposed UART headers provides attackers with direct access to the device's serial console, bypassing normal network-based authentication mechanisms entirely. This vulnerability aligns with CWE-798, which addresses the use of hard-coded credentials, and CWE-259, concerning weak password management. The attack vector is particularly concerning as it requires physical access to the device but does not necessitate advanced exploitation techniques. The root account with password "admin" represents a fundamental flaw in the device's security architecture, as it provides unrestricted access to all system functions and configuration parameters.
The operational impact of this vulnerability is severe as it allows complete compromise of the device's administrative functions. An attacker with physical access can gain root privileges and subsequently control the entire device, potentially using it as a pivot point for network attacks against other connected systems. The UART interface provides direct access to the device's operating system, enabling attackers to modify firmware, extract sensitive data, or install malicious code. This vulnerability particularly affects network infrastructure devices where physical security is often assumed but not properly enforced. The device's exposed UART headers create a backdoor that bypasses all network-based security controls, rendering network segmentation and access controls ineffective. This attack pattern maps to ATT&CK technique T1059.001 for command and scripting interpreter and T1068 for exploit for privilege escalation. The vulnerability is persistent and cannot be mitigated through software updates alone, as it requires physical access to disable the UART interface or replace the hardware.
Mitigation strategies should focus on physical security measures and hardware-level protections. Organizations should implement strict physical access controls to prevent unauthorized individuals from accessing device UART interfaces. The UART headers should be physically disabled or covered when not in use for maintenance purposes. Network administrators should conduct regular audits of device configurations and ensure that default credentials are changed immediately upon device deployment. The device firmware should be updated to the latest available version that addresses this specific vulnerability, though in this case the vulnerability is likely inherent to the device design rather than a software bug. Implementing network-based monitoring to detect unusual activity patterns that might indicate unauthorized access attempts can help identify potential exploitation attempts. Security policies should mandate that all network devices have their physical interfaces secured and that default administrative credentials are immediately changed upon installation. The vulnerability highlights the importance of the principle of least privilege and the necessity of implementing proper access controls even for physical interfaces. Regular security assessments should include physical security reviews to identify exposed interfaces that could create similar vulnerabilities. This type of vulnerability underscores the need for security by design principles where manufacturers build security into device architecture from the initial design phase rather than addressing it as an afterthought.