CVE-2019-3950

Vulnerability

Arlo Base Station firmware versions 1.12.0.1_27940 and prior contain a hardcoded username and password combination that permits root access to the device. This vulnerability is present in the onboard UART (serial) interface and affects models VMB3010, VMB4000, VMB3500, VMB4500, and VMB5000 [1].

Exploitation

An attacker must have physical access to an affected Arlo base station to connect to the UART port using a serial connection. No authentication is required beyond connecting to the port, as the hardcoded credentials are used automatically to grant root-level shell access [1].

Impact

Successful exploitation gives an attacker root privileges on the device, allowing full control over the base station. This includes access to sensitive information stored on the device, such as camera configurations or network details. The attacker does not gain access to user video footage unless further vulnerabilities are exploited [1].

Mitigation

Arlo released automatic firmware updates to resolve this vulnerability: for VMB3010 and VMB4000 version 1.12.2.3_2772, for VMB3500 and VMB4500 version 1.12.2.4_2773, and for VMB5000 version 1.12.2.3_59_4a57cce. No workaround is available; users should ensure their base stations receive the automatic update [1].