CVE-2018-9112 in FEMTO AP-FC4064-T
Summary
by MITRE
A low privileged admin account with a weak default password of admin exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/04/2020
The vulnerability described in CVE-2018-9112 represents a critical security flaw in Foxconn's FEMTO AP-FC4064-T wireless access point device. This issue stems from poor security configuration practices where the device ships with a default administrative account named "admin" alongside a weak default password that remains unchanged in many deployments. The vulnerability specifically affects the LTE Build 15 version of the firmware, indicating this is not an isolated incident but rather a persistent flaw in the device's security implementation. The presence of a hardcoded default credential creates an immediate attack vector that requires no sophisticated techniques to exploit, making it particularly dangerous in environments where devices are deployed without proper security hardening.
The technical exploitation mechanism relies on the device's improper handling of authentication cookies within its web management interface. This represents a fundamental flaw in the application's security architecture where session management is not properly implemented to verify user privileges before executing security-critical operations. When an attacker modifies the cookie values, the system fails to validate whether the modified session has proper authorization levels, allowing privilege escalation from a low-privileged account to administrative privileges. This cookie manipulation vulnerability directly relates to CWE-287, which addresses improper authentication issues, and demonstrates how weak session management can lead to unauthorized privilege elevation. The vulnerability essentially bypasses the normal authentication flow by leveraging the fact that cookie values are trusted without proper verification of their integrity or the associated user's authorization level.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially full system compromise. An attacker who gains administrative privileges through this method can manipulate network configurations, modify device settings, access network traffic, and potentially use the device as a pivot point for attacking other systems within the network. This is particularly concerning for wireless infrastructure devices that often serve as critical network entry points. The vulnerability can be exploited remotely without requiring physical access to the device, making it an attractive target for attackers seeking to establish persistent access to corporate or residential networks. From an attacker's perspective, the combination of a default credential and cookie manipulation creates a straightforward path to system compromise that aligns with ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting through social engineering or default credential exploitation.
Organizations deploying Foxconn FEMTO AP-FC4064-T devices should immediately implement several mitigation strategies to address this vulnerability. The primary remediation involves changing the default administrative password to a strong, unique credential that is not easily guessable or discoverable through common default credential databases. Network segmentation should be implemented to limit access to these devices to authorized personnel only, and proper firewall rules should be configured to restrict management access to specific IP addresses or ranges. Additionally, regular firmware updates should be implemented to ensure that known vulnerabilities are patched, though this particular vulnerability may require manual intervention since it involves the device's default configuration rather than a software bug. Network monitoring should be enhanced to detect unusual cookie modifications or unauthorized access attempts to management interfaces, and security awareness training should be provided to administrators to emphasize the importance of changing default credentials immediately upon device deployment. The vulnerability demonstrates the critical importance of proper device hardening and the dangers of shipping products with default credentials that remain unchanged in production environments.