CVE-2021-31505 - OpenCVE

This vulnerability allows attackers with physical access to escalate privileges on affected installations of Arlo Q Plus 1.9.0.3_278. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSH service. The device can be booted into a special operation mode where hard-coded credentials are accepted for SSH authentication. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-12890.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Arlo	Q Plus Q Plus Firmware

Configuration 1 [-]

AND

cpe:2.3:o:arlo:q_plus_firmware:1.9.0.3_278:*:*:*:*:*:*:*

cpe:2.3:h:arlo:q_plus:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://kb.arlo.com/000062592/Security-Advisory-for-Arlo-Q-Plus-SSH-Use-of-Hard-coded-Credentials-Allowing-Privilege-Escalation
https://www.zerodayinitiative.com/advisories/ZDI-21-683/

History

No history.

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2021-06-29T14:33:48

Updated: 2024-08-03T23:03:33.317Z

Reserved: 2021-04-16T00:00:00

Link: CVE-2021-31505

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-29T15:15:18.993

Modified: 2021-07-07T17:42:18.703

Link: CVE-2021-31505

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Q Plus", "vendor": "Arlo", "versions": [{"status": "affected", "version": "1.9.0.3_278"}]}], "credits": [{"lang": "en", "value": "Team FLASHBACK: Pedro Ribeiro (@pedrib1337 | pedrib@gmail.com) + Radek Domanski (@RabbitPro)"}], "descriptions": [{"lang": "en", "value": "This vulnerability allows attackers with physical access to escalate privileges on affected installations of Arlo Q Plus 1.9.0.3_278. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSH service. The device can be booted into a special operation mode where hard-coded credentials are accepted for SSH authentication. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-12890."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-29T14:33:48", "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-683/"}, {"tags": ["x_refsource_MISC"], "url": "https://kb.arlo.com/000062592/Security-Advisory-for-Arlo-Q-Plus-SSH-Use-of-Hard-coded-Credentials-Allowing-Privilege-Escalation"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "zdi-disclosures@trendmicro.com", "ID": "CVE-2021-31505", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Q Plus", "version": {"version_data": [{"version_value": "1.9.0.3_278"}]}}]}, "vendor_name": "Arlo"}]}}, "credit": "Team FLASHBACK: Pedro Ribeiro (@pedrib1337 | pedrib@gmail.com) + Radek Domanski (@RabbitPro)", "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This vulnerability allows attackers with physical access to escalate privileges on affected installations of Arlo Q Plus 1.9.0.3_278. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSH service. The device can be booted into a special operation mode where hard-coded credentials are accepted for SSH authentication. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-12890."}]}, "impact": {"cvss": {"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798: Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-683/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-683/"}, {"name": "https://kb.arlo.com/000062592/Security-Advisory-for-Arlo-Q-Plus-SSH-Use-of-Hard-coded-Credentials-Allowing-Privilege-Escalation", "refsource": "MISC", "url": "https://kb.arlo.com/000062592/Security-Advisory-for-Arlo-Q-Plus-SSH-Use-of-Hard-coded-Credentials-Allowing-Privilege-Escalation"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:03:33.317Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-683/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://kb.arlo.com/000062592/Security-Advisory-for-Arlo-Q-Plus-SSH-Use-of-Hard-coded-Credentials-Allowing-Privilege-Escalation"}]}]}, "cveMetadata": {"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "assignerShortName": "zdi", "cveId": "CVE-2021-31505", "datePublished": "2021-06-29T14:33:48", "dateReserved": "2021-04-16T00:00:00", "dateUpdated": "2024-08-03T23:03:33.317Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:arlo:q_plus_firmware:1.9.0.3_278:*:*:*:*:*:*:*", "matchCriteriaId": "0BFBFA34-86DC-4579-8A13-0DE2874E2CA5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:arlo:q_plus:-:*:*:*:*:*:*:*", "matchCriteriaId": "D65554E0-06B5-4E80-81F5-C42C9AD5A3FA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This vulnerability allows attackers with physical access to escalate privileges on affected installations of Arlo Q Plus 1.9.0.3_278. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSH service. The device can be booted into a special operation mode where hard-coded credentials are accepted for SSH authentication. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-12890."}, {"lang": "es", "value": "Esta vulnerabilidad permite a atacantes con acceso f\u00edsico escalar privilegios en las instalaciones afectadas de Arlo Q Plus versi\u00f3n 1.9.0.3_278. No es requerida una autenticaci\u00f3n para explotar esta vulnerabilidad. El fallo espec\u00edfico se presenta en el servicio SSH. El dispositivo puede ser arrancado en un modo de funcionamiento especial en donde credenciales embebidas son aceptadas para la autenticaci\u00f3n SSH. Un atacante puede aprovechar esta vulnerabilidad para escalar privilegios y ejecutar c\u00f3digo arbitrario en el contexto de root. Fue ZDI-CAN-12890"}], "id": "CVE-2021-31505", "lastModified": "2021-07-07T17:42:18.703", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-29T15:15:18.993", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Vendor Advisory"], "url": "https://kb.arlo.com/000062592/Security-Advisory-for-Arlo-Q-Plus-SSH-Use-of-Hard-coded-Credentials-Allowing-Privilege-Escalation"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-683/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}