CVE-2023-30351

Vulnerability

The Shenzen Tenda Technology IP Camera CP3 running firmware version V11.10.00.2211041355 contains a hard-coded root password that is stored using weak encryption (CWE-328, CWE-798). The password can be recovered by reversing the hash from the shadow file located in the Squashfs filesystem. This vulnerability allows attackers to gain root access via the TELNET service or the UART serial interface [1][2].

Exploitation

An attacker with network access to the TELNET service or physical access to the UART interface can exploit this vulnerability. The steps involve extracting the shadow file (e.g., from firmware or via physical access), reversing the weak hash to obtain the plaintext root password, and then authenticating via TELNET or UART to obtain a root shell [1][2].

Impact

Successful exploitation grants the attacker a root shell on the device, leading to full compromise of confidentiality, integrity, and availability. The attacker can view live video streams, modify device configuration, install malware, or use the camera as a pivot point within the network.

Mitigation

As of the publication date, no official patch has been released by the vendor. Users should consider disabling the TELNET service if possible, restricting network access to the device, and physically securing the device to prevent UART access. If the device is end-of-life, replacement with a supported model is recommended. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.