CVE 2019-15497 Default Credentials

Summary

Default credentials in BlackBox iCompel and ONELAN Net-Top-Box allow remote attackers to remotely access these devices with administrator and root level access.

These devices are used as digital signage solutions

Impacted Products

  • iCompel units with product versions 9.2.3 though 11.1.4 are confirmed to be vulnerable
  • OneLAN net-top-box units share a code-base with iCompel. Versions 9.2.3 through 11.1.4 were acknowledged to also be vulnerable to this

Details

Multiple default username and password combinations are present on the systems in their default state. These include:

  • ‘root’ – accessible via SSH – provides root level access to the base linux system
  • ‘remote’ – accessible via HTTP, HTTPS, & FTP – provides system level access to the iCompel/NTB system
  • ‘maint’ – accessible only via local console – provides access to factory reset system including security configurations
  • ‘chef’, ‘clerk’, ‘foyer’ – accessible via HTTP/HTTPS, & FTP – provides access to update & edit content displayed

Workarounds

  • Change all default credentials
  • Prevent physical access to devices
  • Segment devices to prevent network access
  • Disable or remove unneeded accounts
  • Disable unneeded protocols

Additional Information

  • Devices are capable of auto-update to new system versions. This functionality does not appear to be enabled by default
  • Devices run Fedora Linux
  • As of 2019-05, over 600 devices were detected as being online, and publicly accessible by Shodan
  • As of 2019-08-22 470 devices are detected as being online and publicly accessible by Shodan

Discovery and Notification Timeline

  • 2019-05-02: Initial discovery
  • 2019-05-03: Vendors notified by email – automatic email responses “ticket number assigned” received
  • 2019-05-07 Received email response from vendor representative (Programming Team Lead at ONELAN)
  • 2019-05-08 Discussed risks, vulnerability, and possible remediations with vendor representative (Programming Team Lead at ONELAN)
  • 2019-05-08 Received email response from vendor representative (BlackBox Network Services Support) that this is “standard industry practice”
  • 2019-05-10 Informed by vendor representative (Programming Team Lead at ONELAN) that they have started an effort to notify customers of the vulnerability
  • 2019-05-11 Received automatic notification that the BlackBox ticket had been closed
  • 2019-07-15 Received update that ONELAN will be “will be working on security fixes for release towards Q3/Q4 this year”
  • 2019-08-22 CVE number requested

References