Full Report
Threat actors are actively exploiting a critical authentication bypass flaw in Four-Faith F3x36 industrial cellular routers, with security... The post CrowdSec flags rising exploitation of Four-Faith industrial routers as botnet activity grows across critical sectors appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Authentication Bypass via Hard-coded Credentials in Four-Faith Industrial Routers
## CVE Details
- **CVE ID:** CVE-2024-9643 (Note: Related to research in TALOS-2023-1752)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-798 (Use of Hard-coded Credentials) / CWE-259 (Use of Hard-coded Password)
## Affected Systems
- **Products:**
- Four-Faith F3x36 series industrial cellular routers
- Yifan YF325 (specifically version v1.0_20221108)
- **Versions:** Multiple versions in the Four-Faith product line; specific patched version numbers are not explicitly listed in the report.
- **Configurations:** Devices with the web management interface exposed to the network, particularly those with default or debug credentials enabled.
## Vulnerability Description
The flaw stems from hard-coded administrative/debug credentials embedded within the router's web interface (`httpd`). Attackers can bypass standard authentication mechanisms by sending specially crafted HTTP requests to specific management pages (e.g., `/Status_Router.asp`). Once authenticated via these "leftover" debug credentials, an attacker gains full administrative access to the device's configuration and sensitive data.
## Exploitation
- **Status:** Exploited in the wild (Classified as "Mass Exploited" by CrowdSec as of May 12).
- **Complexity:** Low (Requires minimal technical skill to execute).
- **Attack Vector:** Network (Remote exploitation via HTTP/HTTPS).
- **PoC Availability:** Publicly available; includes a Nuclei detection template and documented exploitation methods by Cisco Talos and VulnCheck.
## Impact
- **Confidentiality:** High (Full access to read sensitive device info and traffic).
- **Integrity:** High (Ability to modify device settings and pivot into the internal network).
- **Availability:** High (Attacker can disable the device, change credentials, or brick the hardware).
## Remediation
### Patches
- Users should contact **Four-Faith Support** or **Yifan** technical support immediately to obtain the latest firmware updates that remove debug credentials.
- Ensure systems are updated to versions released post-2023 that address the TALOS-2023-1752 findings.
### Workarounds
- **Disable Remote Management:** Ensure the web interface is not accessible from the public internet (WAN side).
- **VPN Access Only:** If remote management is required, use a secure VPN tunnel rather than exposing the management port (80/443).
- **IP White-listing:** Restrict access to the management interface to specific, trusted IP addresses.
## Detection
- **Indicators of Compromise:**
- Unauthorized access or logins from unknown IP addresses (notably from the U.K., Germany, U.S., and Netherlands).
- Modification of DNS settings or unexpected routing rules.
- Large-scale outgoing traffic suggesting the device is participating in a botnet or acting as a proxy.
- **Detection Methods:**
- Monitor for HTTP requests to `/Status_Router.asp` or other management pages that bypass the standard login screen.
- Utilize the **Nuclei template** mentioned in the CrowdSec report to scan internal assets for vulnerability.
## References
- Cisco Talos Advisory: [https://talosintelligence[.]com/vulnerability_reports/TALOS-2023-1752]
- CrowdSec VulnTracking: [https://www[.]crowdsec[.]net/vulntracking-report/cve-2024-9643-four-faith-router-authentication-bypass]
- VulnCheck Advisory: [https://www[.]vulncheck[.]com/advisories/four-faith-hard-coded-creds]