CVE-2020-13860 in MOFI4500-4GXeLTE
Summary
by MITRE • 02/01/2021
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2021
The vulnerability identified in CVE-2020-13860 affects Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices where an undocumented system account named mofidev exists. This account represents a significant security weakness as it provides unauthorized access points to network infrastructure without proper authentication mechanisms. The device manufacturer has not publicly documented this account, making it invisible to legitimate administrators and creating an unexpected entry point for potential attackers. The vulnerability specifically targets the password generation algorithm for this system account, which produces predictable six-digit passwords that can be easily guessed or reverse-engineered by malicious actors.
The technical flaw lies in the cryptographic weakness of the one-time password generation algorithm used for the mofidev account. This predictable password generation mechanism violates fundamental security principles for authentication systems and represents a clear violation of the principle of least privilege. The six-digit password structure significantly reduces the entropy of the authentication mechanism, making it susceptible to brute force attacks and pattern recognition. According to CWE-338, this vulnerability falls under weak random number generation where the algorithm fails to produce sufficient randomness for secure authentication purposes. The predictable nature of these passwords creates a direct path for unauthorized access to network management interfaces and system configurations.
The operational impact of this vulnerability extends beyond simple unauthorized access, as the mofidev account likely provides administrative privileges within the device's system. Attackers who discover or guess the predictable password can gain full control over the network device, potentially leading to man-in-the-middle attacks, network infiltration, or complete device compromise. This vulnerability directly maps to the ATT&CK technique T1078.004 which covers valid accounts used for unauthorized access, and T1566 which involves social engineering techniques that exploit undocumented accounts. The presence of this undocumented account also violates security best practices established in NIST SP 800-53 and ISO 27001 standards, particularly in the areas of access control and system configuration management.
Organizations should immediately implement mitigations including disabling or removing the undocumented mofidev account from all affected devices, changing default passwords, and conducting comprehensive security audits to identify other undocumented accounts or backdoors. Network segmentation and monitoring should be enhanced to detect unusual login patterns or access attempts to the device. The device firmware should be updated to the latest available version from Mofi Network, though the vulnerability may persist if the manufacturer has not addressed it in their official releases. System administrators should also implement strong access control policies and regularly review device configurations to prevent similar vulnerabilities from being introduced through misconfigurations or legacy accounts. The vulnerability demonstrates the critical importance of proper account lifecycle management and the necessity of conducting thorough security assessments of network infrastructure to identify and remediate undocumented access points.