CVE-2017-17878

Vulnerability

The Valve Steam Link (build 643) uses BusyBox with the CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="des" setting, which applies DES password hashing for the root account. DES hashing truncates passwords to the first 8 characters, so any characters beyond the 8th are ignored. The default password steamlink is effectively treated as steamlin [1]. This affects all installations running build 643 or earlier with default settings.

Exploitation

No authentication or special access is required to exploit this. An attacker with network access to the device can mount an offline brute-force or wordlist attack against the hashed root password. Because only the first 8 characters are significant, the keyspace is drastically reduced. For example, a password like development_qNmGYuCVGQTRm5gL is actually equivalent to develope [1]. The attacker does not need user interaction or elevated privileges on the target.

Impact

Successful exploitation allows an attacker to recover the root password and gain full administrative access to the device. This results in complete compromise of confidentiality, integrity, and availability (CIA) of the Steam Link system, including potential control of connected peripherals, access to stored credentials, and network pivoting.

Mitigation

As a temporary workaround, users can manually change the root password hashing algorithm to SHA512 by running: passwd -a sha512 root [1]. The vendor (Valve) has not released a firmware update addressing this issue; they attempted to fix the documentation rather than the underlying cryptographic setting [1]. No fixed version or KEV listing is available as of the publication date.