Cyber Resilience

CVE-2024-39345

HighRCE

Published: 24 July 2024

Published
24 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39345 is a high-severity OS Command Injection (CWE-78) vulnerability in Adtran Sdg Smartos. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the SSH service by default and have a hidden, undocumented, hard-coded support account whose password is based on the devices MAC address. All of the devices internet interfaces share a similar MAC address…

more

that only varies in their final octet. This allows network-adjacent attackers to derive the support user's SSH password by decrementing the final octet of the connected gateway address or via the BSSID. An attacker can then execute arbitrary OS commands with root-level privileges. NOTE: The vendor states that there is no intended functionality allowing an attacker to execute arbitrary OS Commands with root-level privileges. The vendor also states that this issue was fixed in SmartOS 12.5.5.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

Hardcoded, undocumented support account with derivable password (from MAC/BSSID/gateway) enables authentication as root via default-enabled SSH on internet-facing interfaces, facilitating valid default account abuse, remote access over SSH, external remote services for initial access, and network device CLI execution.

Affected Assets

adtran
sdg smartos
≤ 12.1.3.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-259

Changing default authenticators prior to first use directly prevents use of hard-coded passwords.

addresses: CWE-259

Shared threat data frequently highlights products or deployments still using hard-coded passwords, enabling remediation that directly blocks credential-based attacks.

addresses: CWE-259

Background checks and authorization requirements decrease the probability that a developer will hard-code passwords for later unauthorized access.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

addresses: CWE-259

Reviews of supplier deliverables reduce the chance that hard-coded passwords are introduced into the system.

References