CVE-2020-15833 in MOFI4500-4GXeLTE
Summary
by MITRE • 02/01/2021
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The Dropbear SSH daemon has been modified to accept an alternate hard-coded path to a public key that allows root access. This key is stored in a /rom location that cannot be modified by the device owner.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/21/2021
The vulnerability CVE-2020-15833 represents a critical backdoor configuration within the Mofi Network MOFI4500-4GXeLTE 4.1.5-std router firmware, specifically targeting the Dropbear SSH daemon implementation. This issue stems from a hardcoded security flaw that fundamentally compromises the device's authentication mechanism by embedding a predetermined public key within the firmware image itself. The affected device operates with a modified Dropbear SSH daemon that has been intentionally configured to accept connections using this hard-coded public key, which resides in the read-only memory location at /rom, making it immutable to normal administrative operations.
The technical exploitation of this vulnerability occurs through the SSH protocol where an attacker can leverage the hardcoded public key to establish unauthorized root access to the device without requiring any knowledge of user credentials or passwords. This represents a severe violation of authentication security principles and directly impacts the device's integrity and confidentiality. The vulnerability exists at the application layer within the SSH daemon component, specifically manifesting as a weakness in the key management and authentication process that should normally require proper credential validation before granting administrative privileges.
From an operational perspective, this vulnerability creates a persistent backdoor that remains active throughout the device's operational lifetime, regardless of firmware updates or administrative password changes. The device owner cannot modify or remove the hardcoded key because it exists in the read-only memory partition, making it impossible to remediate through standard configuration changes or security hardening procedures. This vulnerability affects the device's availability, integrity, and confidentiality by allowing unauthorized parties to gain complete administrative control over the router, potentially enabling them to modify network configurations, monitor traffic, or establish further footholds within connected networks.
Security implications extend beyond simple unauthorized access to include potential network compromise and lateral movement capabilities. The vulnerability aligns with CWE-259 Weak Passwords and CWE-310 Cryptographic Issues, as it represents a fundamental flaw in the cryptographic key management system. From an ATT&CK framework perspective, this vulnerability maps to T1021.004 Remote Services and T1566 Phishing, as it enables unauthorized remote access to network infrastructure and can be exploited as an initial access vector. The attack surface is particularly concerning because it affects network infrastructure devices that often serve as gateways between internal and external networks, making them prime targets for attackers seeking persistent access to larger network environments. Mitigation efforts are severely limited since the key cannot be removed or modified by the device owner, requiring either firmware updates from the vendor or complete device replacement to address the vulnerability properly.