Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)

Title: Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)
Advisory ID: ZSL-2021-5686
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 10.10.2021
Summary
CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications. The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site office and SCADA communications.

CTM-ONE is the industrial LTE cellular wireless gateway for mobile and fixed applications. CTM-ONE is your next generation of gateway for fleet tracking and fixed sites.
Description
The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials within their Linux distribution image. This weakness can lead to the exposure of resources or functionality to unintended actors, providing attackers with sensitive information including executing arbitrary code.
Vendor
Cypress Solutions Inc. - https://www.cypress.bc.ca
Affected Version
CTM-ONE (1.3.6-latest)
CTM-ONE (1.3.1)
CTM-ONE (1.1.9)
CTM200 (2.7.1.5659-latest)
CTM200( 2.0.5.3356-184)
Tested On
GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l)
GNU/Linux 2.6.32.25 (arm4tl)
lighttpd/1.4.39
BusyBox v1.24.1
BusyBox v1.15.3
Vendor Status
[21.09.2021] Vulnerability discovered.
[23.09.2021] Vendor contacted.
[09.10.2021] No response from the vendor.
[10.10.2021] Public security advisory released.
PoC
cypress_ssh.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php
[2] https://www.exploit-db.com/exploits/50407
[3] https://packetstormsecurity.com/files/164466
[4] https://cxsecurity.com/issue/WLB-2021100052
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/211080
Changelog
[10.10.2021] - Initial release
[13.10.2021] - Added reference [2], [3], [4] and [5]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk