Advisory CVE-2022-37832 – Mutiny Network Monitoring Appliance hardcoded credentials

Software: Mutiny Network Monitoring Appliance

Affected versions: <= 7.2.0-10855

Vendor page: www.mutiny.com

CVE Reference: CVE-2022-37832

Published: 16/12/2022

CVSS 3.1 Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector: Network

Credit: Ryan Saridar

Summary

An attacker can log in as root remotely to the appliance via SSH.

Mitigation

Upgrade to version 7.2.0-10855 onwards to remediate the problem.

Technical details

Before version 7.2.0-10855, the SSH service allows password login to the appliance. The use of weak, hardcoded root credentials between versions means that an attacker with knowledge of this fixed password can log into the appliance remotely and gain unrestricted access to it. Between version 7.2.0-10788 and up to 7.2.0-10850, key-based authentication was introduced, however password-based authentication was not yet disabled. On the patched version, key-based authentication is enforced.

Timeline

05/08/2022: Issue reported to the vendor

05/08/2022: Vendor acknowledged the issues

19/08/2022: Vendor fixed the issue

12/09/2022: CVE number assigned from MITRE

16/12/2022: Advisory published by JUMPSEC