Quantum SuperLoader 3 and Dell PowerVault 124T Hardcoded Account Access Vulnerability

A vulnerability exists in Quantum SuperLoader 3 devices running version 94.0 005E.0h and Dell PowerVault 124T autoloaders, allowing unauthorized access to a hardcoded support account named 'fa'. This vulnerability arises because the account's password, consisting of four lowercase hexadecimal characters, can be easily brute-forced or derived from a five-digit challenge code displayed in the telnet banner, HTTP authentication realm, and on the front panel. The challenge code can be used to obtain the password through a known algorithm, making it feasible to gain unauthorized access to the device.

Impact

Exploitation of this vulnerability allows for unauthorized access to the affected device via the hardcoded 'fa' support account.

Reproduction

The vulnerability can be reproduced by sending a maximum of 65,536 requests to the web interface, attempting to guess the password for the 'fa' account. The password can be derived from the five-digit challenge code displayed in the telnet banner, HTTP authentication realm, and front panel, using a known algorithm. Once the password is obtained, it can be used to log into the device via the web console.