{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/913565#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nThe Technicolor TG670 DSL Gateway Router includes a hard-coded service account that allows for authentication over services on the WAN interface, using HTTP, SSH, or TELNET. The authenticated user can use it to gain full administrative control of the router.\r\n\r\n\r\n### Description\r\n\r\nA hard-coded password refers to an unchangeable password that is stored within a device or an application. This type of password carries a significant risk as it can be exploited by malware or hackers to gain unauthorized access to devices and systems, enabling them to engage in malicious activities. In certain cases, a hard-coded account may possess administrative privileges, granting complete control over a device through an account that cannot be modified or deactivated.\r\n\r\nRecently, it was uncovered that the Technicolor TG670 DSL Gateway Router with firmware version 10.5.N.9. contains more than one hard-coded service account. These particular accounts allow full administrative access to the device via the WAN interface. If Remote Administration is enabled, the device can be remotely accessed from an external network interface, such as the Internet. This account seems to have full administrative access to modify the device settings.  Additionally, it appears that this account is not documented and cannot be disabled or removed from the device.\r\n\r\n### Impact\r\n\r\nA remote attacker can use the default username and password to login as the administrator to the router device. This allows the attacker to modify any of the administrative settings of the router and use it in unexpected ways.  This requires Remote Administration is enabled on the router, which is the default settings as observed by the CODE WHITE security researcher Florian Hauser. \r\n\r\n\r\n### Solution\r\n\r\nIt is recommended that you check with your service provider for appropriate patches and updates are available to resolve the hard-coded credentials stored on the devices. As a precaution, it is also recommended that you disable Remote Administration (WAN side administration), when not needed to reduce the risk of abuse of this service account.\r\n\r\n\r\n### Acknowledgements\r\n\r\nThanks to  Florian Hauser from CODE WHITE for reporting this vulnerability.\r\n\r\nThis document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/913565"},{"url":"https://www.technicolor.com/contact","summary":"https://www.technicolor.com/contact"},{"url":"https://www.pcworld.com/article/423267/some-routers-vulnerable-to-remote-hacking-due-to-hard-coded-admin-credentials.html","summary":"https://www.pcworld.com/article/423267/some-routers-vulnerable-to-remote-hacking-due-to-hard-coded-admin-credentials.html"},{"url":"https://www.techtarget.com/searchsecurity/tip/How-hard-coded-credentials-threaten-industrial-control-systems","summary":"https://www.techtarget.com/searchsecurity/tip/How-hard-coded-credentials-threaten-industrial-control-systems"}],"title":"Hard-coded credentials in Technicolor TG670 DSL gateway router","tracking":{"current_release_date":"2023-07-12T13:20:30+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#913565","initial_release_date":"2023-07-11 14:51:02.773673+00:00","revision_history":[{"date":"2023-07-12T13:20:30+00:00","number":"1.20230712132030.2","summary":"Released on 2023-07-12T13:20:30+00:00"}],"status":"final","version":"1.20230712132030.2"}},"vulnerabilities":[{"title":"The router contains a hard coded credentials.","notes":[{"category":"summary","text":"The router contains a hard coded credentials."}],"cve":"CVE-2023-31808","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#913565"}]}],"product_tree":{"branches":[]}}