Software: Mutiny Network Monitoring Appliance
Affected versions: <= 7.2.0-10855
Vendor page: www.mutiny.com
CVE Reference: CVE-2022-37832
CVSS 3.1 Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector: Network
Credit: Ryan Saridar
An attacker can log in as root remotely to the appliance via SSH.
Upgrade to version 7.2.0-10855 onwards to remediate the problem.
Before version 7.2.0-10855, the SSH service allows password login to the appliance. The use of weak, hardcoded root credentials between versions means that an attacker with knowledge of this fixed password can log into the appliance remotely and gain unrestricted access to it. Between version 7.2.0-10788 and up to 7.2.0-10850, key-based authentication was introduced, however password-based authentication was not yet disabled. On the patched version, key-based authentication is enforced.
05/08/2022: Issue reported to the vendor
05/08/2022: Vendor acknowledged the issues
19/08/2022: Vendor fixed the issue
12/09/2022: CVE number assigned from MITRE
16/12/2022: Advisory published by JUMPSEC