Summary
An attacker with network access to a XC-303 PLC running firmware below 3.5.17 Bugfix 1 can login as root over SSH. The root password is hardcoded in the firmware.
Severity
Critical - Hardcoded password allows malicious actors to login as root over SSH.
Proof of Concept
When on the same network as a XC-303 device running a vulnerable version, you can log in as root over SSH with the following credentials:
Further Analysis
The root password can be found in the XSOFT-CODESYS software: it is stored in clear text in the firmware updater tool.
Versions 3.5.16 and below use the insecure crypt algorithm to store the root password hash in /etc/shadow: the password hash "qFGk7N4OWLwR2" can be easily brute-forced.
If this vulnerability is exploited, it allows an attacker to persist on the device across reboots and updates (the device has no secure boot).
Timeline
Date reported: 08/09/2024
Date fixed: 10/02/2023 (Eaton discovered this vulnerability as part of an internal regular cybersecurity assessment)
Date disclosed: 09/13/2024
haroldm Finder
Summary
An attacker with network access to a XC-303 PLC running firmware below 3.5.17 Bugfix 1 can login as root over SSH. The root password is hardcoded in the firmware.
Severity
Critical - Hardcoded password allows malicious actors to login as root over SSH.
Proof of Concept
When on the same network as a XC-303 device running a vulnerable version, you can log in as root over SSH with the following credentials:
Further Analysis
The root password can be found in the XSOFT-CODESYS software: it is stored in clear text in the firmware updater tool.
Versions 3.5.16 and below use the insecure
cryptalgorithm to store the root password hash in/etc/shadow: the password hash "qFGk7N4OWLwR2" can be easily brute-forced.If this vulnerability is exploited, it allows an attacker to persist on the device across reboots and updates (the device has no secure boot).
Timeline
Date reported: 08/09/2024
Date fixed: 10/02/2023 (Eaton discovered this vulnerability as part of an internal regular cybersecurity assessment)
Date disclosed: 09/13/2024