Source: cve@mitre.org
Multi-Tech ProxyServer products MTPSR1-100, MTPSR1-120, MTPSR1-202ST, MTPSR2-201, and MTPSR3-200 ship with a null password, which allows remote attackers to gain administrative privileges via Telnet or HTTP.
Critical vulnerability exists in multiple Multi-Tech ProxyServer products due to a default null password, granting unauthorized remote access. Attackers can easily gain administrative privileges through Telnet or HTTP, leading to complete system compromise and potential data breaches. Immediate action is required to mitigate this severe security risk.
Step 1: Target Identification: An attacker identifies vulnerable Multi-Tech ProxyServer devices, likely through network scanning (e.g., using tools like Nmap) or Shodan searches.
Step 2: Access Attempt (Telnet): The attacker initiates a Telnet connection to the target device on port 23.
Step 3: Authentication Bypass: The attacker attempts to log in to the administrative interface. Because of the null password, no password is required. The attacker simply presses enter when prompted for a password.
Step 4: Access Granted: The system grants the attacker administrative access.
Step 5: Command Execution: The attacker executes administrative commands, potentially including changing configurations, accessing sensitive data, or installing malicious software.
Step 6: Access Attempt (HTTP): The attacker attempts to access the device's web-based management interface, typically on port 80 or 8080. They navigate to the admin login page.
Step 7: Authentication Bypass (HTTP): The attacker attempts to log in to the administrative interface. Because of the null password, no password is required. The attacker simply leaves the password field blank and submits the form.
Step 8: Access Granted (HTTP): The system grants the attacker administrative access.
Step 9: Command Execution (HTTP): The attacker executes administrative commands via the web interface, potentially including changing configurations, accessing sensitive data, or installing malicious software.
The vulnerability stems from a fundamental design flaw: the Multi-Tech ProxyServer products are shipped with a default, blank password for the administrative account. This means no authentication is required to access the administrative interface via Telnet or HTTP. The lack of any authentication mechanism bypasses all security controls, allowing unauthenticated users to gain full control of the device. The root cause is a failure to implement secure default configurations, a common and easily exploitable vulnerability.
While no specific APT groups are directly linked to this CVE, the ease of exploitation makes it attractive to a wide range of attackers, including script kiddies and opportunistic attackers. The vulnerability's age and simplicity mean it is likely incorporated into automated attack tools. This vulnerability is not listed on the CISA KEV list, however, the severity and ease of exploitation warrant consideration for inclusion.
Network traffic analysis: Look for Telnet connections to the device, especially those with no authentication credentials provided.
HTTP traffic analysis: Examine HTTP requests to the device's management interface (e.g., /admin) with blank password submissions.
Log analysis: Review device logs for successful administrative logins without any authentication attempts.
IDS/IPS signatures: Implement signatures to detect Telnet connections with blank passwords or HTTP requests with empty password fields.
Honeypots: Deploy honeypots configured to mimic the vulnerable devices to attract and analyze attacker activity.
Immediately change the administrative password to a strong, unique password. This is the primary and most critical remediation step.
Disable Telnet access if not required. Use SSH for secure remote management.
Restrict access to the administrative interface to trusted IP addresses or networks.
Update the firmware to the latest version, if available. Check the Multi-Tech website for security patches.
Implement a robust password policy.
Regularly audit device configurations and access logs.
Consider replacing the vulnerable devices with more secure alternatives if updates are not available.