Abilis CPX SSH Authentication Bypass Vulnerability Allowing Connection Relay

A vulnerability exists in unconfigured Abilis CPX 2000 devices that allows an attacker to gain unauthorized access via SSH. After three failed login attempts, the device inadvertently drops to a fallback shell on the fourth attempt. This shell, while restricted, can be used to relay connections to other systems. The issue arises because the device does not require a password for SSH authentication by default, creating an unintentional no-authentication relay service.

Impact

Exploitation of this vulnerability allows for unauthorized SSH access, dropping into a restricted shell that can relay connections to other systems, effectively masking the attacker's IP address.

Reproduction

To reproduce this vulnerability, attempt to log in to an unconfigured Abilis CPX 2000 device via SSH three times with incorrect credentials. On the fourth attempt, access will be granted to a restricted shell.

Remediation

Users are advised to set a password for the SSH service. Abilis has released a firmware update to version 9.0.7 that addresses this vulnerability by closing the connection after three unsuccessful login attempts, preventing accidental exposure of the relay service.