A backdoor vulnerability was reportedly found in AMX devices in March, with the manufacturer patching almost a year later.
A deliberately hidden backdoor account has been found in AMX by Harman Professional devices that allows attackers to completely compromise an affected device.
Whilst performing an analysis of the authentication procedure of one of AMX’s central controller systems, AMX NX-1200,SEC Consult said it discovered a functioncalled setUpSubtleUserAccount that adds an administrative account with hardcoded credentials to an internal user database that can be used to access SSH and its web interface as well.
“Functions to retrieve a list of all users in the database were found4=u74to deliberately hide this user,” SEC Consult wrote. “Further, using this backdoor account grants additional features on the remote-cli, such as a facility to capture packets on the network interface which not even an administrator account can perform.”
Whilst SEC Consult have not published the password it found for the “Black Widow” administrative account, it did say that entering the backdoor account’s credentials into the AMX web-based management interface and the command line interface allowed access to additional features, such as capturing packets on the network interface.
According to SEC Consult, AMX was approached by the firm exposing the Black Widow account, with a fix for the vulnerability coming seven months later.
After reviewing the firmware, SEC Consult said although Black Widow was gone, the backdoor was still in place with a new user “1MB@tMaN” — I’m Batman.
“This time around, we decided (tried) to get in direct contact with somebody responsible for security at AMX (Harman Professional). After numerous emails requesting a security contact to exchange the information about the vulnerability, finally somebody replied,” SEC Consult said.
“We exchanged the security advisory unencrypted, as requested by AMX. Then they went silent again.”
SEC Consult said it had been holding on knowledge of the vulnerability for close to a year before AMX made contact with them, informing the security firm that they had released firmware updates for the affected products.
“These updates are untested and unconfirmed by SEC Consult,” the company said.
AMX was acquired by Harman Professional in early 2014 for $365 million.
AMX’s client portfolio includes The White House, departments from the police, air force, army, marine corps, sporting organisations, as well as a number of top universities and colleges.
Last week, Cisco was forced to fix a critical vulnerability that was found in its Aironet 1800-series devices that would effectively allow an attacker to walk in with backdoor access.
According to Cisco, the flaw was due to the presence of a default user account that is created when the device is installed. Cisco said that although the account did not have have full administrative rights, it still allowed an attacker to gain unauthorised access to the device.
At the same time, the company disclosed another flaw, rated “critical,” in some versions of Cisco’s Identity Services Engine (ISE), which could allow a remote attacker to gain unauthorised access to the device’s administrative portal.