Sercomm SCE4255W Hard-Coded AES Key Vulnerability Allowing Configuration Tampering and Privilege Escalation

A vulnerability exists in the Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware, specifically in versions prior to DG3934v3@2308041842. The issue arises from a hard-coded AES-256-CBC key used in the configuration backup and restore process. This key allows remote authenticated users to decrypt, modify, and re-encrypt device configurations. Exploitation of this vulnerability could lead to unauthorized changes in user credentials and elevated privileges through the device's graphical user interface import and export functions.

Impact

Exploitation of this vulnerability could result in unauthorized access to user accounts, manipulation of credentials, and escalation of privileges on the affected device.

Reproduction

The vulnerability can be reproduced by downloading the encrypted configuration file from the device via the GUI. Once downloaded, the file can be decrypted using the hard-coded passphrase, which is the same for all devices on affected firmware. After decrypting the file, the XML configuration can be modified, re-encrypted with the same static key, and uploaded back to the device, bypassing any integrity checks. This process can be automated with a script that replicates the configuration modification and upload steps.