AiKaan IoT Management Platform Improper Hardening of Proxyuser Account Allows Remote Shell Access and Pivoting into IoT Devices

A vulnerability in the AiKaan IoT management platform's cloud controller, specifically in versions through v3.25.0325-5-g2e9c59796, allows remote attackers to authenticate using a shared, hardcoded SSH private key. This exploitation grants interactive shell access via the 'proxyuser' account, which is intended for non-interactive reverse tunneling. Once access is gained, attackers can execute arbitrary commands, disrupt remote access services, and pivot into other connected IoT devices. This vulnerability could lead to remote code execution, information disclosure, and privilege escalation across customer environments.

Impact

Exploitation of this vulnerability allows for unauthorized interactive shell access on the cloud controller, with the ability to execute arbitrary commands. This access can be used to disrupt remote access services, pivot into connected IoT devices, and potentially execute malicious code on those devices.

Reproduction

To reproduce this vulnerability, authenticate to the AiKaan Cloud Controller's remote access server as 'proxyuser' using the shared SSH private key. Once authenticated, the account will provide an interactive shell instead of the expected tunneling access. From this shell, commands can be executed, authorized keys and active sessions can be enumerated, and active SSH tunnels can be inspected.