cbcvebase.
CVE-2019-12776
published 2019-06-07

CVE-2019-12776: An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They include a hard-coded…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.02%
78.5th percentile
An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They include a hard-coded SSH backdoor for remote SSH and SCP access as the root user. A command in the relocate and relocate_revB scripts copies the hardcoded key to the root user's authorized_keys file, enabling anyone with the associated private key to gain remote root access to all affected products.

Affected

4 ranges
VendorProductVersion rangeFixed in
enttecdatagate_mk2_firmware
enttece-streamer_mk2_firmware
enttecpixelator_firmware
enttecstorm_24_firmware

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthorized SSH/SCP access attempts to affected ENTTEC devices as the root user, which may indicate use of the hard-coded backdoor private key
  • Monitor execution of the 'relocate' and 'relocate_revB' scripts on ENTTEC devices, as these copy the hard-coded key into root's authorized_keys file
  • Inspect /root/.ssh/authorized_keys on affected ENTTEC devices for the presence of the hard-coded public key introduced by the relocate/relocate_revB scripts
  • ·Vulnerability affects firmware version 70044_update_05032019-482 and prior on ENTTEC Datagate Mk2, Storm 24, Pixelator, and E-Streamer Mk2; devices on this firmware should be treated as fully compromised from a remote root SSH perspective
  • ·The hard-coded SSH key grants root-level SCP access in addition to interactive SSH, meaning file exfiltration and upload to/from the device is also possible without authentication beyond possession of the private key
  • ·Public exploits are available for this vulnerability, lowering the bar for exploitation significantly

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.