CVE-2021-3774 in MSS550X
Summary
by MITRE • 11/06/2021
Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app via Http/JSON plain request.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/10/2021
The Meross Smart Wi-Fi 2 Way Wall Switch MSS550X represents a significant security vulnerability identified as CVE-2021-3774, affecting firmware versions 3.1.3 and earlier. This device operates as a smart home automation component that requires initial network configuration through a mobile application, establishing a critical attack surface during its setup phase. The vulnerability manifests during the device's initial provisioning process when it creates an open Wi-Fi access point to facilitate user configuration. This behavior violates fundamental security principles by failing to implement proper authentication mechanisms, allowing any remote attacker to connect to the device without authorization. The flaw specifically stems from the device's failure to enforce secure communication protocols during its initial setup, creating a window of opportunity for malicious actors to exploit the configuration process.
The technical implementation of this vulnerability involves the device's handling of network configuration data through unencrypted HTTP/JSON requests, which exposes sensitive information in plain text format. During the initial setup, the device broadcasts its configured Wi-Fi credentials through a publicly accessible HTTP endpoint without requiring authentication or encryption, making it trivial for attackers to capture network information using standard network monitoring tools. The device's configuration data includes the user-defined Wi-Fi SSID and password, which are transmitted in clear text format, violating security standards such as those outlined in CWE-312 (Sensitive Data Exposure) and CWE-310 (Cryptographic Issues). This exposure occurs because the device does not implement proper access controls or encryption mechanisms, directly enabling credential theft through simple network sniffing or man-in-the-middle attacks.
The operational impact of this vulnerability extends beyond simple credential theft, creating a broader security risk for users' entire network infrastructure. Once an attacker obtains the Wi-Fi credentials through this vulnerability, they gain access to the user's home network, potentially enabling further attacks such as lateral movement within the network, data exfiltration, or even device compromise. The vulnerability affects not just the specific device but also represents a systemic failure in the device's security architecture during its most critical configuration phase, which aligns with ATT&CK technique T1071.004 (Application Layer Protocol: DNS) and T1566 (Phishing) as attackers can leverage the exposed credentials to establish persistent access. This flaw particularly impacts users who rely on smart home devices for security purposes, as the compromise of a single device can potentially lead to complete network infiltration, making it a high-risk vulnerability that affects both individual privacy and network security.
The mitigation strategies for this vulnerability require immediate firmware updates from Meross to address the insecure configuration process and implement proper authentication mechanisms. Users should disable the device's open access point functionality after initial setup and ensure that all network communications use encrypted protocols such as HTTPS rather than plain HTTP. Network administrators should monitor for unauthorized devices on their networks and implement proper segmentation to limit the impact of credential exposure. The vulnerability demonstrates the importance of secure-by-design principles in IoT devices and highlights the need for comprehensive security testing during the development lifecycle, particularly focusing on initial provisioning processes. Organizations should consider implementing network access control lists and monitoring for unusual network activity that might indicate exploitation attempts, while also ensuring that all IoT device firmware is kept current with security patches to prevent exploitation of known vulnerabilities.