Software: Mutiny Network Monitoring Appliance
Affected versions: <= 7.2.0-10855
Vendor page: www.mutiny.com
CVE Reference: CVE-2022-37832
Published: 16/12/2022
CVSS 3.1 Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector: Network
Credit: Ryan Saridar
Summary
An attacker can log in as root remotely to the appliance via SSH.
Mitigation
Upgrade to version 7.2.0-10855 onwards to remediate the problem.
Technical details
Before version 7.2.0-10855, the SSH service allows password login to the appliance. The use of weak, hardcoded root credentials between versions means that an attacker with knowledge of this fixed password can log into the appliance remotely and gain unrestricted access to it. Between version 7.2.0-10788 and up to 7.2.0-10850, key-based authentication was introduced, however password-based authentication was not yet disabled. On the patched version, key-based authentication is enforced.
Timeline
05/08/2022: Issue reported to the vendor
05/08/2022: Vendor acknowledged the issues
19/08/2022: Vendor fixed the issue
12/09/2022: CVE number assigned from MITRE
16/12/2022: Advisory published by JUMPSEC