Threat Research

Mitigating CVE-2024-28747: Safeguarding SmartPLC Devices from Hardcoded Credential Vulnerabilities

CTI

Security researchers identified CVE-2024-28747 affecting SmartPLC AC14xx and AC4xxS devices with firmware up to 4.3.17, due to hard-coded credentials that allow unauthenticated remote access. Mitigation requires upgrading to firmware version 6.1.8 or later. #CVE-2024-28747 #SmartPLC #AC14xx #AC4xxS #HardcodedCredentials #Telnet #Firmware6_1_8

Keypoints

  • CVE-2024-28747 affects SmartPLC AC14xx and AC4xxS devices with firmware ≤ 4.3.17 and is rated critical (CVSS base 9.8).
  • Hard-coded credentials (username “target” and password “target”) are embedded in firmware, enabling unauthenticated remote access.
  • The Telnet service is used for remote access, configured to run as root and without encryption, increasing risk.
  • Exploitation flow includes device identification, initiating a Telnet session, using the hard-coded credentials, and gaining high privileges on the device.
  • Mitigations include upgrading to firmware 6.1.8+, removing or replacing hard-coded credentials, and applying relevant IPS/NVD advisories.
  • The advisory notes CWE-798 (Use of Hard-coded Credentials) and EPSS ~0.09% probability of exploitation in the next 30 days.

MITRE Techniques

  • [T1021.004] Remote Services – Telnet – An attacker logs in to the device’s telnet service using root access after exploitation. Quote: ‘The telnet service is configured to run as root (see Figure 4), allowing high-level access upon successful login.’
  • [T1078] Valid Accounts – Exploitation of hard-coded credentials to gain access to SmartPLC devices. Quote: ‘Exploitation of hard-coded credentials to gain access to SmartPLC devices.’
  • [T1068] Privilege Escalation – Gaining high-level privileges through telnet access with hard-coded credentials. Quote: ‘Gaining high-level privileges through telnet access with hard-coded credentials.’
  • [T1070] Defense Evasion – Indicator Removal on Host – Potentially modifying logs or configurations to hide unauthorized access. Quote: ‘Potentially modifying logs or configurations to hide unauthorized access.’
  • [T1499] Impact – Endpoint Denial of Service – Disruption of operations by taking control of industrial control systems. Quote: ‘Disruption of operations by taking control of industrial control systems.’

Indicators of Compromise

  • [Credential] target:target – Hard-coded credentials embedded in firmware enabling remote login via Telnet.
  • [File] /etc/passwd – The passwd file contains critical information on user accounts (see Figure 1). Example: the entry for the “target” user.
  • [Hash] PASSWD Entry Hash – Password hash for the target user shown in Figure 1 and discussed as cracked in Figure 2.
  • [Hash] Figure_02_cracked_password – Demonstrates credentials exposure through password cracking (John the Ripper).
  • [Signature] 20183 – IPS signature for ifm SmartSPS Default Account Login.

Read more: https://blog.sonicwall.com/en-us/2024/07/protecting-smartplc-devices-from-critical-hardcoded-credential-vulnerability-cve-2024-28747/