CVE-2011-0885
published 2011-02-08CVE-2011-0885: A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.07%
95.0th percentile
A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smc_networks | smcd3g-ccr_firmware | <= 1.4.0.49 | — |
| smc_networks | smcd3g-ccr_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect login attempts using the default credential 'mso' / 'D0nt4g3tme' against the web interface (port 80/443) or Telnet interface of SMC SMCD3G-CCR devices. ↗
- →Monitor for sequential/brute-force HTTP requests to /admin/index.asp with incrementing integer 'userid' cookie values (epoch-range), indicative of session ID brute-forcing. ↗
- →Alert on CSRF-style POST requests to the gateway management interface pages (e.g., remote administration, DNS, NAT config pages) originating from unexpected referrers or cross-origin contexts. ↗
- →Flag any successful Telnet sessions to the gateway device using the 'mso' account, as this grants UID 0 (root) shell access. ↗
- ·The default 'mso' password is not surfaced during device installation and users are not prompted to change it, meaning most deployed devices retain the vulnerable default credential. ↗
- ·Session brute-force attack window is limited to approximately 10 minutes due to session expiry, but can be combined with other attack vectors (e.g., CSRF) to increase effectiveness. ↗
- ·Only firmware versions prior to 1.4.0.49.2 are affected; the fixed version can be verified via the 'About' link in the management interface. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/bugtraq/2011/Feb/36http://secunia.com/advisories/43199http://securityreason.com/securityalert/8066http://www.exploit-db.com/exploits/16123/http://www.securityfocus.com/archive/1/516205/100/0/threadedhttp://www.securityfocus.com/bid/46215https://exchange.xforce.ibmcloud.com/vulnerabilities/65184https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txthttp://seclists.org/bugtraq/2011/Feb/36http://secunia.com/advisories/43199http://securityreason.com/securityalert/8066http://www.exploit-db.com/exploits/16123/http://www.securityfocus.com/archive/1/516205/100/0/threadedhttp://www.securityfocus.com/bid/46215https://exchange.xforce.ibmcloud.com/vulnerabilities/65184https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
2011-02-08
Published