Talos Vulnerability Report

TALOS-2023-1692

Lenovo Group Ltd. Smart Clock Essential SSH hard-coded password vulnerability

April 13, 2023
CVE Number

CVE-2023-0896

SUMMARY

A hard-coded password vulnerability exists in the SSH, telnet functionality of Lenovo Group Ltd. Smart Clock Essential 4.9.113. A specially crafted command line argument can lead to elevated capabilities. An attacker can authenticate with hard-coded credentials to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lenovo Group Ltd. Smart Clock Essential 4.9.113

PRODUCT URLS

Smart Clock Essential - https://www.lenovo.com/us/en/p/smart-devices/smart-home/smart-home-series/lenovo-smart-clock-essential-with-alexa-built-in/len104l0002

CVSSv3 SCORE

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-798 - Use of Hard-coded Credentials

DETAILS

The Smart Clock Essential is a smart home device with Amazon Alexa support.

The hardcoded credentials are not changed upon provisioning of the Smart Clock; therefore, an attacker with network access to the Smart Clock can gain full control of the device using SSH or telnet. Additionally the hardcoded root password is weak and easily guessed or cracked. The default username is: root and the default password is: 123456

TIMELINE

2023-01-10 - Vendor Disclosure
2023-01-10 - Initial Vendor Contact
2023-04-11 - Vendor Patch Release
2023-04-13 - Public Release

Credit

Discovered by Kelly Leuschner and Thorsten Rosendahl of Cisco Talos.