CVE-2022-25217 in Phicomm
Summary
by MITRE • 03/10/2022
Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. The builds of telnetd_startup included in the version 22.5.9.163 of the K2 firmware, and version 32.1.15.93 of the K3C firmware (possibly amongst many other releases) included both the private and public RSA keys. The remaining versions cited here redacted the private key, but left the public key unchanged. An attacker in possession of the leaked private key may, through a scripted exchange of UDP packets, instruct telnetd_startup to spawn an unauthenticated telnet shell as root, by means of which they can then obtain complete control of the device. A consequence of the limited availablility of firmware images for testing is that models and versions not listed here may share this vulnerability.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/12/2022
The vulnerability described in CVE-2022-25217 represents a critical security flaw in network services that stems from improper cryptographic key management practices. This issue specifically affects the telnetd_startup service component within certain firmware versions of network devices, creating a pathway for unauthorized remote code execution with elevated privileges. The vulnerability manifests through the inclusion of hard-coded cryptographic key pairs within the firmware images, a practice that fundamentally undermines the security model of the affected systems. The presence of both private and public RSA keys within the firmware builds creates an inherent weakness that can be exploited by attackers within the local network segment.
The technical implementation of this vulnerability involves the use of a hardcoded private key that allows attackers to authenticate with the telnetd_startup service without proper credentials. This flaw aligns with CWE-326, which addresses the use of weak encryption algorithms or improper cryptographic key management, and specifically relates to CWE-310, which covers cryptographic issues including weak key generation and storage. The attacker can leverage this hardcoded private key through a scripted exchange of UDP packets to trigger the service into spawning an unauthenticated telnet shell with root privileges. This mechanism operates outside normal authentication procedures, effectively bypassing the device's security controls and providing complete system compromise.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass full system control and potential lateral movement within network environments. Once an attacker obtains root access through this method, they can execute arbitrary code, modify system configurations, access sensitive data, and establish persistent access points. The vulnerability's presence in multiple firmware versions including K2 firmware version 22.5.9.163 and K3C firmware version 32.1.15.93 demonstrates a widespread issue that affects numerous network devices within the same product line. The fact that some versions redacted the private key while retaining the public key indicates a partial remediation effort that may have been insufficient, as the public key alone can still enable certain types of attacks and reconnaissance activities.
The attack vector for this vulnerability is particularly concerning as it requires minimal network proximity and can be executed through automated scripts. The UDP packet exchange mechanism allows for rapid exploitation and can be automated, making it particularly dangerous in environments where network segmentation is not properly implemented. This vulnerability directly maps to ATT&CK technique T1021.004, which covers remote services through telnet, and T1059.003, covering command and scripting interpreter through PowerShell or similar tools. The remediation process requires immediate firmware updates that properly implement cryptographic key management practices and eliminate hardcoded credentials from system components. Organizations should implement network segmentation to limit the attack surface and monitor for unauthorized telnet connections or unusual UDP traffic patterns that might indicate exploitation attempts. The vulnerability underscores the importance of proper key lifecycle management and the dangers of embedding cryptographic material within firmware, as these practices create permanent security weaknesses that persist across system updates and deployments.