CVE-2012-6663

Vulnerability

The General Electric D20ME (and possibly D200) devices are shipped with a misconfiguration that exposes plaintext passwords in a TFTP-accessible configuration file. The vulnerability exists because the device does not enforce authentication or encryption for TFTP reads, allowing anyone with network access to retrieve the configuration. Affected versions include the D20ME and potentially other units in the same family, as noted in the Metasploit module [1].

Exploitation

An attacker needs only network access to the device's TFTP service (typically UDP port 69). No authentication or prior access is required. The attacker can use a TFTP client to request the configuration file, which contains the username, password, and authentication level list in plaintext. The Metasploit module auxiliary/gather/d20pass automates this process [1].

Impact

Successful exploitation yields a list of plaintext credentials, including usernames and passwords. An attacker can then use these credentials to log into the device with the corresponding privilege level, potentially gaining administrative access to the industrial control system. This compromises the confidentiality and integrity of the device and the network it controls.

Mitigation

No official patch or firmware update has been disclosed in the available references [1]. As a workaround, operators should disable the TFTP service if not required, restrict network access to the device via firewall rules, or implement network segmentation to limit exposure. If TFTP is necessary, consider using a VPN or other encrypted tunnel to protect the configuration transfer.