Milesight UG67: Undocumented Default Password

The Milesight UG67 Outdoor LoRaWAN Gateway has an undocumented user account ‘pyuser’ with the guessable password ‘ur123456’.

Details

• Product: Milesight UG67 Outdoor LoRaWAN Gateway
• Affected Versions: 60.0.0.42-r5, likely others
• Fixed Versions: 60.0.0.44
• Vulnerability Type: Undocumented Default Password
• Security Risk: low
• Vendor URL: https://www.milesight.com/iot/product/lorawan-gateway/ug67
• Vendor Status: fixed version released
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2024-002
• Advisory Status: published
• CVE: CVE-2024-47862
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47862

Introduction

The Milesight UG67 is a robust outdoor LoRaWAN® gateway designed for outdoor deployments.

More Details

The Milesight UG67 Outdoor LoRaWAN Gateway has an undocumented user account ‘pyuser’ with a guessable password.

Proof of Concept

Attackers with privileged access to a Milesight UG67 Outdoor LoRaWAN Gateway are able to extract the file ‘/etc/shadow’:

root:$1$LeEdx8s4$rHpvVnYk00euXq7yhilAy.:17415:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
admin:$1$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:19643:0:99999:7:::
pyuser:$1$MD9B8mwI$QJiMcTT8uSUlqJ5oTZCQI/:17570:0:99999:7:::
ntp:x:0:0:99999:7:::
ggc_user:!:18369:0:99999:7:::
mosquitto:x:0:0:99999:7:::
postgres:x:0:0:99999:7:::
redis:x:0:0:99999:7:::
sshd:x:0:0:99999:7:::

While the default password for the user account ‘root’ is documented in the system’s manual and it is obviously wise to change it, the user account ‘pyuser’ is not mentioned there. Neither is the account ‘pyuser’ mentioned in the web interface of the Milesight UG67 LoRaWAN Gateway. However it is easily possible to find the password ‘ur123456’ using john or hashcat.

$ john shadow
Loaded 3 password hashes with 3 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
ur123456         (pyuser)
1g 0:00:16:05 2.40% 2/3 (ETA: 01:10:44) 0g/s 108442p/s 218023c/s

In contrast to the user account ‘root’, the account ‘pyuser’ only has a limited shell enabling access to the gateway’s text-based configuration system:

root@(none):/# grep pyuser /etc/passwd
pyuser:x:1001:1001::/home/pyuser:/usr/sbin/vtysh

This shell allows for example to read the configured WiFi password.

Workaround

Use the documented ‘root’ account to login using SSH in order to change the password for the ‘pyuser’ account, or disable the account completely. It might be necessary to enable SSH access first - remember to disable SSH access again after changing the account if this is the case.

Fix

It should be examined how the ‘pyuser’ account is used. If it is only used internally, the password and the login capability should be removed. If it is to be provided externally, the necessity to change its password should be documented and the ability to do so using the web interface should be provided.

Security Risk

Attackers with SSH access to a Milesight UG67 Outdoor LoRaWAN Gateway are able to log in to the account ‘pyuser’ using the undocumented password ‘ur123456’. The account ‘pyuser’ is configured to have a restricted menu-based configuration system as login shell. Thus, the guessable password for ‘pyuser’ is considered to pose a low risk on its own.

It is possible to circumvent this restricted shell, this is documented and rated separately in rt-sa-2024-003.

Timeline

• 2024-04-25 Vulnerability identified
• 2024-04-29 Customer approved disclosure to vendor
• 2024-05-14 Vendor notified
• 2024-06-28 asked Vendor for update
• 2024-07-03 Vendor will provide Update until end of July
• 2024-07-24 asked Vendor for update
• 2024-07-30 Vendor stated: Work in Progress
• 2024-08-09 Vendor stated: Fix expected Q3/24
• 2024-09-24 CVE ID requested
• 2024-09-24 asked Vendor for update
• 2024-09-24 Vendor stated: Fix in 60.0.0.44
• 2024-10-04 CVE ID assigned
• 2024-10-07 asked Vendor for update
• 2024-10-08 Vendor stated: Fix will be available mid-October
• 2024-10-18 asked Vendor for update
• 2024-10-21 Vendor stated: Fix will be available mid-November
• 2024-11-04 Vendor released fixed version for testing
• 2024-11-05 Vendor released fixed version
• 2024-12-10 Customer approved public release of vulnerabiltiy details
• 2024-12-10 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/