PT-2021-9675 · Mofi Network · Mofi4500-4Gxelte
Published
2021-02-01
·
Updated
2021-02-03
·
CVE-2020-13858
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Mofi Network MOFI4500-4GXeLTE versions 3.6.1-std through 4.0.8-std
Description
An issue was discovered in Mofi Network MOFI4500-4GXeLTE devices, where two undocumented administrator accounts,
sftp and mofidev, are defined in /etc/passwd. The password for these accounts is not unique across installations.Recommendations
For version 3.6.1-std, consider disabling the
sftp and mofidev accounts until a patch is available.
For version 4.0.8-std, restrict access to the accounts sftp and mofidev to minimize the risk of exploitation.
As a temporary workaround, consider changing the passwords for the sftp and mofidev accounts to unique values for each installation.Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mofi4500-4Gxelte