Use of Hard-coded Credentials in temi Robox OS prior to 120, temi Android app up to 1.3.7931 allows remote attackers to listen in on any ongoing calls between temi robots and their users if they can brute-force/guess a six-digit value via unspecified vectors.

CVE-2020-16170: Call an Exorcist! My Robot’s Possessed!

IBM QRadar 7.3.0 to 7.3.3 Patch 2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-ForceID: 175845.

CVE-2020-4269: IBM QRadar information disclosure CVE-2020-4269 Vulnerability Report

An exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.

**Summary**

An exploitable use of hard-coded credentials vulnerability exists in multiple iw\_\* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.

**Tested Versions**

Moxa AWK-3131A Firmware version 1.13

**Product URLs**

http://www.moxa.com/product/AWK-3131A.htm

**CVSSv3 Score**

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-798: Use of Hard-coded Credentials

**Details**

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

A hard coded password (moxaiwroot) is used while decrypting any diagnostic scripts uploaded through the device’s troubleshooting portal. With this password it is possible to create custom diagnostic scripts to run on the device.

Disassembly for each of the four locations can be found below:

**iw\_troubleshoot**

    ...
    00402a38  8fdc0018   lw      $gp, 0x18($fp) {var_c8}
    00402a3c  3c020040   lui     $v0, 0x40
    00402a40  24444fe4   addiu   $a0, $v0, 0x4fe4  {0x404fe4, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s%s"}
    00402a44  3c020040   lui     $v0, 0x40
    00402a48  24454fd0   addiu   $a1, $v0, 0x4fd0  {0x404fd0, "/var/ts_zip_result"}
    00402a4c  3c020040   lui     $v0, 0x40
    00402a50  24464f90   addiu   $a2, $v0, 0x4f90  {0x404f90, "/var/"}
    00402a54  8fc70100   lw      $a3, 0x100($fp) {arg6}
    00402a58  8f828050   lw      $v0, -0x7fb0($gp)  {iw_system_quiet}
    00402a5c  0040c821   move    $t9, $v0
    00402a60  0320f809   jalr    $t9
    

There is a second location in iw_troubleshoot where the password is used: … 00402ee0 8fdc0020 lw $gp, 0x20($fp) {var\_e48} 00402ee4 8fc20e78 lw $v0, 0xe78($fp) {arg4} 00402ee8 8c420000 lw $v0, ($v0) 00402eec 8fc30e6c lw $v1, 0xe6c($fp) {arg\_4} 00402ef0 afa30010 sw $v1, 0x10($sp) {var\_e58} 00402ef4 8fc30e70 lw $v1, 0xe70($fp) {arg\_8} 00402ef8 afa30014 sw $v1, 0x14($sp) {var\_e54} 00402efc 27c3003c addiu $v1, $fp, 0x3c {var\_e2c} 00402f00 afa30018 sw $v1 {var\_e2c}, 0x18($sp) {var\_e50} 00402f04 3c030040 lui $v1, 0x40 00402f08 246450cc addiu $a0, $v1, 0x50cc {0x4050cc, “openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %sTS\_%d\_%s\_%s\_%s.aes”} 00402f0c 3c030040 lui $v1, 0x40 00402f10 24654fd0 addiu $a1, $v1, 0x4fd0 {0x404fd0, “/var/ts\_zip\_result”} 00402f14 3c030040 lui $v1, 0x40 00402f18 24664f90 addiu $a2, $v1, 0x4f90 {0x404f90, “/var/”} 00402f1c 00403821 move $a3, $v0 00402f20 8f828050 lw $v0, -0x7fb0($gp) {iw\_system\_quiet} 00402f24 0040c821 move $t9, $v0 00402f28 0320f809 jalr $t9 00402f2c 00000000 nop  
…

**iw\_onekey**

    ...
    00401aec  8fdc0010   lw      $gp, 0x10($fp) {var_10}
    00401af0  3c020040   lui     $v0, 0x40
    00401af4  24442954   addiu   $a0, $v0, 0x2954  {0x402954, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s"}
    00401af8  3c020040   lui     $v0, 0x40
    00401afc  24452944   addiu   $a1, $v0, 0x2944  {0x402944, "/var/rdinfo.zip"}
    00401b00  3c020040   lui     $v0, 0x40
    00401b04  2446298c   addiu   $a2, $v0, 0x298c  {0x40298c, "/var/rdinfo.aes"}
    00401b08  8f828048   lw      $v0, -0x7fb8($gp)  {iw_system_quiet}
    00401b0c  0040c821   move    $t9, $v0
    00401b10  0320f809   jalr    $t9
    00401b14  00000000   nop    
    ... 
    

**iw\_webs**

    00457dcc  27bdfed8   addiu   $sp, $sp, -0x128
    00457dd0  afbf0124   sw      $ra, 0x124($sp) {__saved_$ra}
    00457dd4  afbe0120   sw      $fp, 0x120($sp) {__saved_$fp}
    00457dd8  03a0f021   move    $fp, $sp {var_128}
    00457ddc  3c1c004d…  li      $gp, 0x4cb8f0
    00457de4  afbc0010   sw      $gp, 0x10($sp) {var_118}  {_gp}
    00457de8  afc40128   sw      $a0, 0x128($fp) {arg_0}
    00457dec  afc5012c   sw      $a1, 0x12c($fp) {arg_4}
    00457df0  afc0001c   sw      $zero, 0x1c($fp) {var_10c}  {0x0}
    00457df4  afc00018   sw      $zero, 0x18($fp) {var_110}  {0x0}
    00457df8  3c020047   lui     $v0, 0x47
    00457dfc  244416e4   addiu   $a0, $v0, 0x16e4  {0x4716e4, "openssl aes-256-cbc -d -k moxaiwroot -salt -in \"%s\" -out \"%s\""}
    00457e00  8fc50128   lw      $a1, 0x128($fp) {arg_0}
    00457e04  8fc6012c   lw      $a2, 0x12c($fp) {arg_4}
    00457e08  8f828764   lw      $v0, -0x789c($gp)  {iw_system}
    00457e0c  0040c821   move    $t9, $v0
    00457e10  0320f809   jalr    $t9
    00457e14  00000000   nop     
    ...
    

**Timeline**

2019-10-22 - Vendor Disclosure  
2020-02-24 - Public Release

Discovered by Patrick DeSantis, Carl Hurd, and Jared Rittle of Cisco Talos.

CVE-2019-5139: TALOS-2019-0928 || Cisco Talos Intelligence Group

IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses hard coded credentials which could allow a local user to obtain highly sensitive information. IBM X-Force ID: 161035.

CVE-2019-4309: IBM Security Guardium Big Data Intelligence information disclosure CVE-2019-4309 Vulnerability Report

In the Zingbox Inspector, versions 1.294 and earlier, hardcoded credentials for root and inspector user accounts are present in the system software, which can result in unauthorized users gaining access to the system.

Palo Alto Networks Security Advisories / CVE-2019-15015

Attack Vector **LOCAL**

Scope **UNCHANGED**

Attack Complexity **LOW**

Confidentiality Impact **HIGH**

Privileges Required **NONE**

Integrity Impact **HIGH**

User Interaction **NONE**

Availability Impact **HIGH**

NVD JSON

Published **2019-10-01**

Updated

Reference **PAN-SA-2019-0027**

Discovered **internally**

**Description**

Hardcoded credentials for root and inspector user accounts are present in the system software. (Ref: CVE-2019-15015)

The vulnerability allows for users to authenticate to the software using hardcoded credentials if access to SSH on the Zingbox Inspector is not otherwise restricted (see also PAN-SA-2019-0029).

This issue affects Zingbox Inspector, versions 1.294 and earlier.

**Product Status**

Versions

Affected

Unaffected

Zingbox Inspector 1

<= 1.294

\>= 1.295

**Severity:HIGH**

CVSSv3.1 Base Score:8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Weakness Type**

CWE-798 Use of Hard-coded Credentials

**Solution**

Zingbox Inspector, version 1.295 and later.

**Workarounds and Mitigations**

In the normal course of operation, Zingbox Inspector automatically updates its own software, and a fixed version of software has already been made available. No user action is required unless the software is unable to update itself. Customers still running affected versions of Zingbox Inspector software can mitigation this issue by updating to a patched version, or by manually running the command "passwd" to change the password for the inspector/root users. See product documentation for more information on how to change passwords for system users.

**Acknowledgments**

Note: This security issue was found during an internal security audit performed during the Palo Alto Networks acquisition of Zingbox. The issues discovered during this process have been addressed in software updates as described in the published Zingbox security advisories.

CVE-2019-15015: CVE-2019-15015 Hardcoded Credentials in Zingbox Inspector

The SSH service is enabled on the Zingbox Inspector versions 1.294 and earlier, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials.

Palo Alto Networks Security Advisories / CVE-2019-15017

Attack Vector **LOCAL**

Scope **UNCHANGED**

Attack Complexity **LOW**

Confidentiality Impact **HIGH**

Privileges Required **NONE**

Integrity Impact **HIGH**

User Interaction **NONE**

Availability Impact **HIGH**

NVD JSON

Published **2019-10-01**

Updated

Reference **PAN-SA-2019-0029**

Discovered **internally**

**Description**

The SSH service is enabled on the Zingbox Inspector, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials. (Ref: CVE-2019-15017)

The vulnerability allows for users to authenticate to the software using hardcoded credentials if access to SSH on the Zingbox Inspector is not otherwise restricted (see also PAN-SA-2019-0027).

This issue affects Zingbox Inspector, versions 1.294 and earlier.

**Product Status**

Versions

Affected

Unaffected

Zingbox Inspector 1

<= 1.294

\>= 1.295

**Severity:HIGH**

CVSSv3.1 Base Score:8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Weakness Type**

CWE-798 Use of Hard-coded Credentials

**Solution**

Zingbox Inspector, version 1.295 and later.

**Workarounds and Mitigations**

In the normal course of operation, Zingbox Inspector automatically updates its own software, and a fixed version of software has already been made available. No user action is required unless the software is unable to update itself. Customers still running affected versions of Zingbox Inspector software can mitigation this issue by updating to a patched version, or by disabling access to port 22 on the Zingbox Inspector by using a firewall.

**Acknowledgments**

Note: This security issue was found during an internal security audit performed during the Palo Alto Networks acquisition of Zingbox. The issues discovered during this process have been addressed in software updates as described in the published Zingbox security advisories.

Tag

#hard_coded_credentials