CVE-2021-27155 in HG6245D
Summary
by MITRE
An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded admin / 3UJUh2VemEfUtesEchEC2d2e credentials for an ISP.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/28/2021
The vulnerability identified as CVE-2021-27155 affects FiberHome HG6245D broadband router devices operating with firmware version RP2613 and earlier. This represents a critical security flaw that stems from improper credential management within the device's web administration interface. The issue manifests through the presence of hard-coded authentication credentials that remain unchanged across all affected devices, creating a persistent and exploitable weakness in the network infrastructure. The hardcoded credentials consist of an administrative username 'admin' paired with a password '3UJUh2VemEfUtesEchEC2d2e', which provides unauthorized access to the device's management functions without requiring any additional authentication factors.
The technical implementation of this vulnerability involves the web daemon process running on the affected devices, which incorporates these hardcoded credentials directly into the firmware code. This approach violates fundamental security principles and represents a classic example of weak credential management practices. According to CWE-798, this vulnerability maps directly to the weakness of using hardcoded credentials, which is categorized under insecure credential storage and management. The flaw exists at the application level within the device's web interface, making it accessible through standard network protocols and potentially exploitable from external networks if the device is exposed to the internet.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it provides attackers with full administrative control over the affected broadband modem. This level of access enables malicious actors to modify network configurations, implement man-in-the-middle attacks, redirect traffic to malicious servers, or establish persistent backdoors within the network infrastructure. The vulnerability affects not only individual users but also the broader network ecosystem, as these devices often serve as the primary gateway for home and small office networks. The implications align with ATT&CK technique T1078.004, which covers legitimate credentials and default credentials, allowing adversaries to maintain persistent access to target networks through unauthorized administrative privileges.
Mitigation strategies for this vulnerability require immediate action from network administrators and end users. The primary recommendation involves changing the default administrative credentials on affected devices, though this becomes challenging given the hardcoded nature of the credentials. Network segmentation and firewall rules should be implemented to prevent unauthorized access to the device's management interfaces, particularly when these devices are exposed to external networks. Regular firmware updates from FiberHome should be prioritized to address this vulnerability, and network monitoring should be enhanced to detect unauthorized access attempts. Organizations should also implement network access control measures and consider disabling unnecessary services on these devices to reduce the attack surface. The vulnerability demonstrates the importance of proper credential lifecycle management and the dangers of embedding authentication information directly into firmware code, reinforcing the need for robust security practices in network infrastructure devices.