Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)
(Somewhere between 9.5 and 10.0)
Incorrect Access Control
BaiCells
NOVA436Q - QRTB 2.7.8 (Likely all builds before 2.9.x) NEUTRINO430 - QRTB 2.7.8 (Likely all builds before 2.9.x)
Usernames and Passwords are static in the firmware, encrypted using crypt(), and so are crackable.
Remote
True
True
True
True
Out of the box, the firmware has static usernames and passwords.
https://na.baicells.com/Service/Firmware https://img.baicells.com//Upload/20211230/FILE/BaiBS_QRTB_2.7.8.IMG.IMG https://img.baicells.com//Upload/20210909/FILE/98d2752f-6e83-49b1-9dab-d291e9023db6.pdf
Yes, though not publicly.
Luke Jenkins
(timeline goes here)
User "admin" password of "Baicells" stored using unix crypt() DES algorithm.
Undocumented & non-configurable user "anonymous" password of "pqmz325" stored using unix crypt() DES algorithm.
Undocumented, non-configurable (but seemingly unusable for ssh) user "root" password of "qpa;10@)" stored using unix crypt() DES algorithm. Vendor claims this is unique per device, but this hasn't been confirmed.
This is my first published CVE, so please excuse (or pull request) any errors.
Thanks to the folks at UETN for the assistance and backing on this one.
Also thank you to the staff of Baicells NA for working with me on correcting this issue.