CVE-2021-32459
A hard-coded password vulnerability exists in the SFTP Log Collection Server function of Trend Micro Inc.’s Home Network Security 6.1.567. A specially crafted network request can lead to arbitrary authentication. An attacker can send an unauthenticated message to trigger this vulnerability.
Trend Micro, Inc. Home Network Security 6.1.567
https://www.trendmicro.com/en_us/forHome/products/homenetworksecurity.html
4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE-259 - Use of Hard-coded Password
The Home Network Security Station is a device used to monitor and protect home networks from security threats as well as offer simple network management features. The Station provides vulnerability scanning, web threat protection, intrusion prevention, as well as device-based access control for all devices on a home network.
A hard coded username and password exists for uploading a collection of log files from the Trend Micro Home Network Security device. This log server is at logs.trendmicro.com. The log server is utilized to dump all information that the device collects back to Trend Micro’s infrastructure, and can include indentifiable information of the networks that the data originated from. The username and password are hard coded in the core binary of the HNS device as diamond:bahV6AtJqZt4K. On the SFTP server, these credentials can be used to create files, change permissions on files, and upload arbitrary data to the server. This could result in the loss of the logs if files are overwritten, or data exfiltration could occur if it is possible to download data.
2021-01-22 - Vendor Disclosure
2021-04-06 - 75+ day follow up
2021-04-20 - Talos granted timeline extension for disclosure
2021-05-20 - Vendor Patched
2021-05-24 - Public Release
Discovered by Carl Hurd and Kelly Leuschner of Cisco Talos.