Full Report
A authenticated attacker with low privileges can activate high privileged user and use it to expand attack surface.
Analysis Summary
# Vulnerability: Eltex ESR-200 Router Built-in High-Privilege Account Activation
## CVE Details
- **CVE ID:** CVE-2018-15358
- **CVSS Score:** 8.8 (High) - *Note: While the article text mentions 0.0, the provided vector string (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) calculates to 8.8.*
- **CWE:** CWE-267 (Privilege Defined With Unsafe Actions) / CWE-250 (Execution with Unnecessary Privileges)
## Affected Systems
- **Products:** Eltex ESR-200 Router
- **Versions:** Firmware version 1.2.0
- **Configurations:** Systems where authenticated low-privileged access is available.
## Vulnerability Description
The Eltex ESR-200 router contains an undocumented or built-in user account with maximum system privileges. A vulnerability exists where an authenticated attacker, initially possessing only low-level privileges, can programmatically or manually activate this high-privileged account. This allows the attacker to bypass intended role-based access controls and significantly expand the attack surface of the device.
## Exploitation
- **Status:** Unknown (No public PoC cited in the advisory)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Total access to device configuration and data)
- **Integrity:** High (Ability to modify firmware, settings, and credentials)
- **Availability:** High (Potential to disable the device or disrupt network services)
## Remediation
### Patches
- **Firmware Update:** Upgrade to Eltex ESR-200 firmware version **1.3.0** or later.
### Workarounds
- No specific workarounds were provided by the vendor other than the firmware update. It is recommended to restrict network access to the router’s management interface to trusted IPs only.
## Detection
- **Indicators of Compromise:** Monitor for the creation or sudden activity of unauthorized administrative accounts.
- **Detection methods and tools:** Audit system logs for privilege escalation events or unexpected logins from the "built-in" account. Perform configuration audits to identify active accounts not created by the authorized administrator.
## References
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/08/17/klcert-18-014-eltex-esp-200-router-build-in-user-with-highest-privileges/
- **NVD CVE-2018-15358:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-15358