Sercomm SCE4255W FreedomFi Englewood Use of Deterministic Credential Generation Algorithm Vulnerability

A vulnerability exists in the Sercomm SCE4255W small cell device running FreedomFi Englewood firmware prior to DG3934v3@2308041842. The issue arises from a deterministic algorithm used to generate administrative and root credentials based on the device's MAC address. This flaw allows remote attackers to derive valid credentials, bypass authentication, and gain full access to the device.

Impact

Exploitation of this vulnerability leads to authentication bypass and full root access on the device.

Reproduction

The vulnerability can be reproduced by accessing the device's TR-069 endpoint with a crafted Download command that includes shell metacharacters. This can be done by overriding the device's DNS to point to a local server that intercepts the TR-069 communications. Once the device is redirected to the local server, it can be commanded to execute a bind shell as the root user.

Remediation

Sercomm has confirmed that these vulnerabilities have been addressed internally, but no channel exists to deploy fixes to affected devices in the field.