CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
39.3%
CVE-2023-46685
A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command execution.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
WBR-6013 - <https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103>
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-259 - Use of Hard-coded Password
The WBR-6013 is a SOHO wireless router produced by LevelOne.
The WBR-6013 has a telnetd service that listens for connections. In the WBR-6013βs documentation, telnetd is not mentioned and the credentials for login are not mentioned either.
The file /etc/passwd_orig
is going to be used as /etc/passwd
file. This file also contains the hash of the usersβ passwords:
root:<redacted>:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null
admin:<redacted>:1000:1000:Linux User,,,:/home/admin:/bin/sh
The credentials for obtaining root in the WBR-6013 device, through telnet, are weak and hardcoded. An attacker could use these hard-coded credentials for obtaining complete control over the device.
It is possible to connect to the telnetd service and obtain root by providing the hard-coded rootβs password.
# telnet 192.168.100.1
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.
rlx-linux login: root
Password:
RLX Linux version 2.0
_ _ _
| | | ||_|
_ _ | | _ _ | | _ ____ _ _ _ _
| |/ || |\ \/ / | || | _ \| | | |\ \/ /
| |_/ | |/ \ | || | | | | |_| |/ \
|_| |_|\_/\_/ |_||_|_| |_|\____|\_/\_/
For further information check:
http://processor.realtek.com/
# ls /
bin etc init mnt root sys usr web
dev home lib proc sbin tmp var
LevelOne has declined to patch the issues in their software.
2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-07-08 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1874
Previous Report
TALOS-2023-1784
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
39.3%