CVE-2018-6401 in MSS110
Summary
by MITRE
Meross MSS110 devices before 1.1.24 contain a TELNET listener providing access for an undocumented admin account with a blank password.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/01/2020
The CVE-2018-6401 vulnerability affects Meross MSS110 smart power outlets and related devices running firmware versions prior to 1.1.24. This represents a critical security flaw that exposes unauthorized administrative access through an undocumented telnet service running on the device. The vulnerability stems from the improper configuration of network services where the device maintains an active telnet listener without proper authentication mechanisms or access controls.
The technical implementation of this flaw involves the device's network stack maintaining an open telnet service that listens for incoming connections on a specific port. This service provides access to an administrative account that is not documented in official product specifications or user manuals. The account lacks any password requirements, creating an authentication bypass condition where any remote attacker can establish administrative control over the device simply by connecting via telnet. This represents a classic case of insecure default configuration where security mechanisms are either absent or improperly implemented.
The operational impact of this vulnerability extends beyond simple unauthorized access to include complete device compromise and potential network infiltration. An attacker with access to the device can modify power settings, potentially causing physical damage to connected equipment, manipulate device behavior, or use the compromised device as a pivot point for accessing other network resources. The vulnerability affects the device's security model by eliminating any form of authentication, creating a backdoor that allows full administrative privileges without requiring any credential knowledge. This weakness directly violates security best practices and industry standards such as those outlined in the OWASP Top 10, specifically addressing the lack of proper access control mechanisms.
The vulnerability aligns with several ATT&CK framework techniques including T1021.004 Remote Services and T1078 Valid Accounts, as it provides unauthorized access through legitimate administrative services using undocumented credentials. Organizations using affected Meross devices face significant risk of unauthorized device manipulation and potential escalation to broader network compromise. The lack of documentation around this administrative account means that even security personnel may not be aware of this potential access vector, making detection and remediation more challenging.
Mitigation strategies should prioritize immediate firmware updates to version 1.1.24 or later, which addresses the vulnerability by removing the undocumented telnet service. Network segmentation and firewall rules should be implemented to restrict access to affected devices, particularly blocking telnet ports from external networks. Additionally, regular security assessments should verify that no unauthorized services are running on networked devices. The vulnerability highlights the importance of proper security configuration management and the necessity of conducting thorough security reviews of networked devices to prevent similar issues in the future. Organizations should implement device inventory management processes to identify and remediate all affected devices within their network infrastructure.