A hard-coded password vulnerability exists in the SSH, telnet functionality of Lenovo Group Ltd. Smart Clock Essential 4.9.113. A specially crafted command line argument can lead to elevated capabilities. An attacker can authenticate with hard-coded credentials to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Lenovo Group Ltd. Smart Clock Essential 4.9.113
Smart Clock Essential - https://www.lenovo.com/us/en/p/smart-devices/smart-home/smart-home-series/lenovo-smart-clock-essential-with-alexa-built-in/len104l0002
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-798 - Use of Hard-coded Credentials
The Smart Clock Essential is a smart home device with Amazon Alexa support.
The hardcoded credentials are not changed upon provisioning of the Smart Clock; therefore, an attacker with network access to the Smart Clock can gain full control of the device using SSH or telnet. Additionally the hardcoded root password is weak and easily guessed or cracked. The default username is: root and the default password is: 123456
2023-01-10 - Vendor Disclosure
2023-01-10 - Initial Vendor Contact
2023-04-11 - Vendor Patch Release
2023-04-13 - Public Release
Discovered by Kelly Leuschner and Thorsten Rosendahl of Cisco Talos.