CVE-2024-28066

An attacker who obtains the firmware image can extract the file system and read the /etc/shadow file, which contains a hardcoded MD5-crypt password hash for the root user [ref_id=1]. Because the password is weak, the attacker can recover the cleartext password ("lxdb") through an offline brute-force or dictionary attack [ref_id=1]. With the root password, the attacker gains full administrative access to the device over SSH or a local shell. No network-level exploitation is required; the attack is performed offline against the extracted firmware.

The advisory identifies that the hardcoded root password hash is stored in /etc/shadow within the firmware file system [ref_id=1]. No specific source code files or functions are named in the advisory.

According to the manufacturer, the fix disables the root account entirely [ref_id=1]. Fixed firmware versions are 1.11.3.0, 2.0.14.0, and 1.8.2.0 [ref_id=1]. By disabling the root account, the hardcoded credential can no longer be used to log in, even if the password hash is extracted from the firmware.

1. Extract the file system from the firmware (see SYSS-2024-007). 2. Locate the hardcoded md5crypt password hash for the user "root" in /etc/shadow. 3. Recover the cleartext password via an offline password-guessing attack (the recovered password is "lxdb"). [ref_id=1]