Hard-Coded Administrator Password Discovered in OpsRamp Gateway

Version Tested:
3.0.0

CVE Numbers:
CVE-2020-11543

CVSS Score:
10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE:
CWE-798: Use of Hard-coded Credentials

OWASP:
https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password

Summary:
During a recent penetration test, CRITICALSTART‘s TEAMARES researchers discovered that OpsRamp Gateway has an administrative account named vadmin that allows root SSH access to the server. This account was unknown to clients unless requested through a support process. At that time the vendor states they would provide the account to the client and request that they change the password.

Prior to the patch, this password was not unique to all clients, only to those who requested access to the account and changed the password. Critical Start is unaware of the number of clients that may have requested access and changed the password.

Technical Details:
After installing the OpsRamp Gateway server, a script called “kick-start.sh” runs, which sets up multiple user accounts and hardcodes their passwords by setting the pre-hashed passwords.

Our team was able to crack the hash for the vadmin, which can be used to SSH into the server with the password [email protected]. Additionally, the account has the sudo permissions ALL, allowing us to easily escalate to root with sudo -i.

We then proceeded to log into client servers in production as root proving that the hashes are not unique to the install.

Timeline:
10/24/2019 – Vulnerability found
01/20/2020 – CRITICALSTART was informed that the Vendor patched the finding
03/26/2020 – Ensured that clients were patched
03/26/2020 – CVE Requested
04/07/2020 – Released vulnerability disclosure

Credit:
Discovered by Charles Dardaman, Senior Adversarial Engineer for TEAMARES at CRITICALSTART

Our Team:
CRITICALSTART’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec and @CRITICALSTART to stay up to date on vulnerability discoveries and cybersecurity news.

Charles (Chase) Dardaman

Senior Adversarial Engineer, TEAMARES

As a Senior Adversarial Engineer on TEAMARES, Charles brings numerous years of experience in both offensive and defensive security. He is an expert in both network and web application penetration testing, as well as reverse engineering and binary analysis. He is an active member of the local security community, and often speaks at cybersecurity meet-ups.

Hard-Coded Administrator Password Discovered in OpsRamp Gateway

You may also be interested in…

Leave nothing to chance with CRITICALSTART MDR.

CONTACT US

Hard-Coded Administrator Password Discovered in OpsRamp Gateway

You may also be interested in…

Three Reasons Companies Fall Victim to Ransomware – and One Big Way the Game is Changing

Transparency (Or Lack Thereof): What Your MDR Company Isn’t Telling You

CRITICALSTART SELECTED FOR THE DALLAS BUSINESS JOURNAL’S MIDDLE MARKET 50 LIST FOR 2021

RELATED RESOURCES

Palo Alto Networks’ Tim Junio Shares How Acquisition Strategy and a New Perspective on Data are Making a Definitive Impact in Cybersecurity

Simplify your Microsoft Security Operations for Identity-Based Alerts

SentinelOne’s Yonni Shelmerdine Explains why the key to Success in XDR lies in its Evolution, not Revolution

RESOURCE CATEGORIES

Leave nothing to chance with CRITICALSTART MDR.

CONTACT US