CVE-2021-28912 in eibPortinfo

Summary

by MITRE • 09/10/2021

BAB TECHNOLOGIE GmbH eibPort V3. Each device has its own unique hard coded and weak root SSH key passphrase known as 'eibPort string'. This is usable and the final part of an attack chain to gain SSH root access.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/27/2023

The vulnerability identified as CVE-2021-28912 affects eibPort V3 devices manufactured by BAB TECHNOLOGIE GmbH, representing a critical security flaw in industrial networking equipment. This issue stems from the implementation of hard-coded cryptographic credentials within the device firmware, specifically a weak root SSH key passphrase that is publicly known and documented as 'eibPort string'. The vulnerability exists at the authentication layer of the device's secure shell implementation, where default credentials are embedded in the software rather than being dynamically generated or securely configured during deployment.

The technical flaw constitutes a fundamental failure in secure credential management practices, directly violating security best practices outlined in industry standards such as CWE-798, which addresses the use of hard-coded credentials, and CWE-312, which covers the exposure of sensitive information through hard-coded passwords. This weakness creates an attack surface that allows unauthorized users to bypass normal authentication mechanisms and gain root-level access to the device. The vulnerability is particularly concerning because it represents a pre-authentication privilege escalation vector that requires no additional exploitation techniques beyond knowledge of the hardcoded credential.

Operationally, this vulnerability enables attackers to achieve complete system compromise of affected eibPort V3 devices, providing them with full administrative control over the network infrastructure. The impact extends beyond individual device compromise to potentially affect entire industrial control networks, as these devices often serve as critical communication bridges in building automation and industrial IoT environments. Once an attacker gains root access through SSH, they can manipulate network configurations, intercept communications, modify device behavior, or establish persistent backdoors. This vulnerability aligns with ATT&CK technique T1078.004, which covers legitimate credentials and default credentials, and represents a common attack pattern in industrial control systems where default credentials pose significant risks.

The mitigation strategy for this vulnerability requires immediate action from device administrators, including the replacement of all affected devices with versions that do not contain hardcoded credentials. Organizations should implement network segmentation to isolate these devices from critical infrastructure and monitor for unauthorized access attempts. The remediation process must involve firmware updates from the vendor, although the nature of the vulnerability means that physical device replacement may be necessary since the hardcoded credentials cannot be easily changed. Security teams should also conduct comprehensive inventory assessments to identify all instances of the affected devices within their networks and implement continuous monitoring for exploitation attempts. The vulnerability demonstrates the critical importance of secure default configurations in embedded systems and highlights the need for robust credential management practices in industrial environments.

Reservation

03/19/2021

Disclosure

09/10/2021

Moderation

accepted

CPE

ready

EPSS

0.01226

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!