EE 4GEE HH70 Home Router Hardcoded Root SSH Credentials Advisory Hardware Version/Model: 4GEE Router HH70VB-2BE8GB3 (HH70VB) Vulnerable Software Version: HH70_E1_02.00_19 Patched Software Version: HH70_E1_02.00_21 Vulnerability CVE(s): CVE-2018-10532 Product URL: https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-router/details Vulnerability Description: An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 devices. Hardcoded root SSH credentials were discovered to be stored within the "core_app" binary utilised by the EE router for networking services. An attacker with knowledge of the default password (oelinux123) could login to the router via SSH as the root user, which could allow for the loss of confidentiality, integrity, and availability of the system. This would also allow for the bypass of the "AP Isolation" mode that is supported by the router, as well as the settings for multiple Wireless networks, which a user may use for guest clients. Attack Vectors: An attacker must be able to communicate with the SSH server, however the router supports multiple networks and "AP Isolation" mode which could be bypassed if the malicious user compromises the router with the default credentials/hard coded SSH credentials. Attack Type: Remote: Impact: Administrative SSH Access Affected Component: root@OpenWrt:/usr/bin# strings core_app | grep root sshpass -p oelinux123 scp root@192.168.225.1:%s %s sshpass -p oelinux123 scp %s root@192.168.225.1:%s Reference(s): https://blog.jameshemmings.co.uk/2018/04/29/4gee-hg70-router-vulnerability-disclosure https://www.theregister.co.uk/2018/10/26/ee_4gee_hh70_ssh_backdoor https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-router/details Disclosure Timeline: 29th April, 2018 at 12:52 GMT. Email sent with technical vulnerability information and PoC. 10th May, 2018 at 23:23 GMT. Followup email sent, no acknowledgement received. 11th May, 2018 at 06:47 GMT. Acknowledgement received from EE, remedial work being reviewed. 29th June, 2018 at 18:56 GMT. Followup email sent, noticed EE security patch email.. confirming if this fixes vulnerability. 29th June, 2018 at 19:01 GMT. Email from EE, still evaluating fixes of the vulnerability. 18th July, 2018 at 19:32 GMT. Email sent to EE, asking for update as 90 day window closing shortly. 18th July, 2018 at 22:12 GMT. Reply from EE, asking for IMEI and current S/W version. 19th July, 2018 at 15:14 GMT. Reply from EE, asking for exact steps to reproduce issue. 20th July, 2018 at 07:56 GMT. Email sent to EE with requested information. 4th October, 2018 at 22:58 GMT. Email sent to EE asking for update. 5th October, 2018 at 08:29 GMT. Reply from EE stating its patched. 5th October, 2018 at 19:51 GMT. Advised EE that its not patched on this version. 6th October, 2018 at 06:54 GMT. Reply from EE, stating they will check with their development team and will come back to me on Monday. 6th October, 2018 at 08:30 GMT. Email to EE acknowledging last email and that is OK. 6th October, 2018 at 08:40 GMT. Reply from EE asking for clarity on the vulnerability and the recommended fix, as well as the overall risk rating. 6th October, 2018 at 09:11 GMT. Email sent to EE with the requested information. 6th October, 2018 at 09:17 GMT. Reply sent from EE, mentioning the comments/advice is understood and they will be in touch on Monday. 8th October, 2018 at 21:50 GMT. Email sent to EE asking for fix ETA. 8th October, 2018 at 22:03 GMT. Reply from EE, advising they are still working on the issue and the options. Update to be provided tomorrow. 9th October, 2018 at 20:05 GMT. Reply from EE, confirming SSH functionality has been disabled in the fix and there is further verification required before an update is released. 9th October, 2018 at 20:13 GMT. Email sent to EE asking for approximate ETA and planned fix date. 9th October, 2018 at 20:16 GMT. Reply from EE, stating its being pushed through as a matter of urgency, that the fix has been verified and the binary is being compiled at the moment, further verification still required. 12th October, 2018 at 11:51 GMT. Email sent to EE, asking for approximate ETA. 12th October, 2018 at 12:43 GMT. Reply from EE, stating validation completed 20 minutes ago. Consumer package to be deployed rather than the test variant, will be released this week. 13th October, 2018 at 19:39 GMT. Email sent to EE, asking for notification when consumer version released. Stated I will hold public disclosure at present. 17th October, 2018 at 15:40 GMT. Reply from EE, stating validation has been completed, however theirs another minor change needed. Phone call to be conducted tomorrow to finalise build and if two changes are required or not. Feedback to be provided tomorrow. 18th October, 2018 at 19:02 GMT. Email sent to EE, asking for updates. 18th October, 2018 at 19:39 GMT. Reply from EE, testing has been completed but another update is going to be included and the bundle will be released early next week. 18th October, 2018 at 20:26 GMT. Email sent to EE, mentioning this was said last week and that I will be going public with vulnerability disclosure next Wednesday, as this is well over 90 day agreed disclosure period. 21st October, 2018 at 20:17 GMT. Reply from EE, stating they addressed the SSH issue by disabling it but another patch needs to be merged to manage customer experience. Original validation of vulnerability took longer than anticipated. 23rd October, 2018 at 18:05 GMT. Email sent to EE, asking for further updates. 23rd October, 2018 at 18:11 GMT. Reply from EE, stating release will be deployed Thursday and asking for IMEI. 24th October, 2018 at 20:01 GMT. Email sent to EE, with IMEI. 24th October, 2018. Full Disclosure via Blog. 26th October, 2018 at 06:33 GMT. Reply from EE, confirming update should be available. 26th October, 2018 at 07:05 GMT. Email sent to EE, advising that update is not showing. 26th October, 2018 at 09:32 GMT. Reply from EE, advising update is now fully available. 26th October, 2018 at 17:54 GMT. Email sent to EE, adivsing update has resolved the issue. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.