CVE-2023-30354

Vulnerability

The Shenzen Tenda Technology IP Camera CP3 in version V11.10.00.2211041355 does not protect against physical attacks via the UART serial interface. During boot, U-Boot displays the Wi-Fi network password in cleartext if the camera is connected to a wireless network [1]. Additionally, a hardcoded boot password is present in the firmware image, which can be used to gain access to the U-Boot console [2].

Exploitation

An attacker needs physical access to the device and a UART adapter. By connecting to the UART pins, they can observe the boot process where the Wi-Fi password is printed. To gain console access, they interrupt the U-Boot process and enter the hardcoded password, which grants a root shell on the bootloader [1][2].

Impact

Successful exploitation results in the disclosure of the Wi-Fi network credentials, potentially compromising the network. Furthermore, with root access to U-Boot, the attacker can read or modify the device's firmware, execute arbitrary code, or permanently brick the device. This represents a complete compromise of the device's confidentiality and integrity.

Mitigation

As of the publication date, no firmware update or patch has been released by the vendor. The only mitigation is to restrict physical access to the device, such as placing it in a secured location. If the device is deployed in an untrusted environment, replacement with a more secure model may be necessary.