Eaton XC-303 Hardcoded SSH Root Password Vulnerability

A vulnerability exists in Eaton XC-303 PLCs running firmware versions prior to 3.5.16 and 3.5.17 Build 712, allowing an attacker with network access to log in as root via SSH. The root password, hardcoded in the firmware, is 'Etn602'. This issue arises because versions 3.5.16 and below use the insecure 'crypt' algorithm to hash the root password, leaving it susceptible to brute-force attacks. Exploiting this vulnerability enables persistent access to the device, as it lacks secure boot functionality.

Impact

Successful exploitation allows for unauthorized root access via SSH, with the ability to maintain persistence across device reboots and updates.

Reproduction

To reproduce this vulnerability, access a network where an XC-303 PLC running a vulnerable firmware version is located. Attempt to log in via SSH using the username 'root' and the password 'Etn602'.

Remediation

Users can upgrade to XC-303 firmware version 3.5.17 Build 715 or later to address this vulnerability.