[email protected]      0333 939 8080

Jumpsec Labs
Jumpsec Labs

Advisory CVE-2022-37832 – Mutiny Network Monitoring Appliance hardcoded credentials

by | Dec 15, 2022 | Jumpsec, Vulnerability

Software: Mutiny Network Monitoring Appliance

Affected versions: <= 7.2.0-10855

Vendor page: www.mutiny.com

CVE Reference: CVE-2022-37832

Published: 16/12/2022

CVSS 3.1 Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector: Network

Credit: Ryan Saridar

Summary

An attacker can log in as root remotely to the appliance via SSH.

Mitigation

Upgrade to version 7.2.0-10855 onwards to remediate the problem.

Technical details

Before version 7.2.0-10855, the SSH service allows password login to the appliance. The use of weak, hardcoded root credentials between versions means that an attacker with knowledge of this fixed password can log into the appliance remotely and gain unrestricted access to it. Between version 7.2.0-10788 and up to 7.2.0-10850, key-based authentication was introduced, however password-based authentication was not yet disabled. On the patched version, key-based authentication is enforced.

Timeline

05/08/2022: Issue reported to the vendor

05/08/2022: Vendor acknowledged the issues

19/08/2022: Vendor fixed the issue

12/09/2022: CVE number assigned from MITRE

16/12/2022: Advisory published by JUMPSEC

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

@JumpsecLabs JumpsecLabs made JumpsecLabs/CloudflareRedirector public · June 28, 2024 09:56
JumpsecLabs/CloudflareRedirector

Putting the C2 in C2loudflare

JavaScript 7 Updated Jun 28

@JumpsecLabs JumpsecLabs made JumpsecLabs/WALK_WebAssembly_Lure_Krafter public · May 31, 2024 02:24
JumpsecLabs/WALK_WebAssembly_Lure_Krafter

A web assembly (WASM) phishing lure generator based on pre-built templates and written in Rust with some GenAI assistance. W.A.L.K. aims at aiding …

Rust 51 Updated May 31

 

Follow JUMPSECLabs

Latest from JUMPSEC

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Jumpsec, Unit 3E – 3F, 33 – 34 Westpoint,
Warple Way, Acton
W3 0RG

To learn more about JUMPSEC's services please get in touch:

Give us a call: 0333 939 8080

Send us a message: [email protected]

To learn more about JUMPSEC'S services please get in touch:

Give us a call: 0333 939 8080

Send us a message: [email protected]

Jumpsec, Unit 3E – 3F, 33 – 34 Westpoint,
Warple Way, Acton, W3 0RG

© JUMPSEC 2020 | Privacy Policy
JUMPSEC Ltd. is a company registered in England and Wales. Registered Address: 1 Golden Court, Richmond, Surrey, TW9 1EU. Registration Number: 08327063

Share This