Hard Coded Accounts in the Tenda AC15 Router – CVE-2018-5768

Introduction

The Tenda AC15 router was found to contain a variety of unnecessary accounts that contain incredibly weak passwords. Note that these accounts do not allow access to the web interface, but are also not configurable from said interface. This means that without access to the device (such as telnet or ssh), a user cannot change these accounts.

The /etc/passwd file contains the following entries:

The passwords for support, user and admin are all 1234. Logging as any one of these accounts gives us root privileges. Combined with CVE-2018-5770, this vulnerability can lead to full compromise of the device.

Timeline

Vulnerability discovered and first reported by Fidus’ Penetration Testing & Research Team – 14/1/2018

Second attempt to make contact, further informing the vendor of the severity of the vulnerability – 18/1/2018

CVE’s assigned by Mitre.org – 19/1/2018

Livechat attempt to contact vendor – 19/1/2018

Another attempt to contact vendor 23/1/2018

Further attempt to contact vendor, confirming 5 CVE’s had been assigned to their product – 31/1/2018

Final contact attempted & warning of public disclosure – 8/2/2018

Public disclosure – 19/3/2018