CVE-2014-6617 – CVE-2014-6617 is a critical vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2014-6617?

CVE-2014-6617 has a CVSS score of 9.8 (CRITICAL). CVE-2014-6617 is a critical vulnerability in Softing FG-100 PB PROFIBUS firmware that contains a hardcoded root password, allowing remote attackers to gain full administrative control via TELNET. This affects all systems running the vulnerable firmware version, primarily industrial control systems using these PROFIBUS gateways. Attackers can completely compromise affected devices without needing to guess or crack passwords.

📋 TL;DR

CVE-2014-6617 is a critical vulnerability in Softing FG-100 PB PROFIBUS firmware that contains a hardcoded root password, allowing remote attackers to gain full administrative control via TELNET. This affects all systems running the vulnerable firmware version, primarily industrial control systems using these PROFIBUS gateways. Attackers can completely compromise affected devices without needing to guess or crack passwords.

💻 Affected Systems

Products:

Softing FG-100 PB PROFIBUS Gateway

Versions: FG-x00-PB_V2.02.0.00

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the firmware itself, not dependent on specific configurations. TELNET service must be enabled/accessible for exploitation.

📦 What is this software?

Fg 100 Pb Profibus Firmware by Industrial.softing

View all CVEs affecting Fg 100 Pb Profibus Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover allowing attackers to modify industrial processes, disrupt operations, steal sensitive industrial data, or use the device as a pivot point into other critical systems.

🟠

Likely Case

Unauthorized administrative access leading to configuration changes, data exfiltration, and potential disruption of industrial processes.

🟢

If Mitigated

Limited impact if TELNET is disabled or network segmentation prevents access to the vulnerable service.

🌐 Internet-Facing: HIGH - Direct remote exploitation possible if TELNET is exposed to the internet.

🏢 Internal Only: HIGH - Even internally, any network-accessible device with TELNET enabled is vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - simply connect via TELNET using the hardcoded credentials. Public exploit code and detailed analysis are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions (specific version not documented in public sources)

Vendor Advisory: Not publicly available in provided references

Restart Required: Yes

Instructions:

1. Contact Softing for updated firmware. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Verify TELNET service is disabled or secured.

🔧 Temporary Workarounds

Disable TELNET Service

all

Completely disable the TELNET service to prevent remote exploitation

Configuration dependent - use device management interface to disable TELNET

Network Segmentation

all

Isolate affected devices in separate network segments with strict access controls

🧯 If You Can't Patch

Implement strict network access controls to block all TELNET traffic to affected devices
Monitor for TELNET authentication attempts and investigate any successful logins

🔍 How to Verify

Check if Vulnerable:

Attempt TELNET connection to port 23 and try known hardcoded credentials (specific password not listed for security reasons)

Check Version:

Check via device web interface or serial console - vendor-specific command

Verify Fix Applied:

Verify firmware version is newer than FG-x00-PB_V2.02.0.00 and TELNET connections with hardcoded credentials fail

📡 Detection & Monitoring

Log Indicators:

Successful TELNET logins from unexpected sources
Multiple failed TELNET authentication attempts

Network Indicators:

TELNET connections to port 23 from unauthorized IPs
Unusual outbound connections from affected devices

SIEM Query:

source_port=23 AND (event_type="authentication_success" OR event_type="login")

📊 Metadata

CVE ID: CVE-2014-6617

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: March 9, 2018

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/128976/Softing-FG-100-PB-Hardcoded-Backdoor.html Exploit,Third Party Advisory,VDB Entry
http://www.securityfocus.com/archive/1/533902/100/0/threaded
http://www.securityfocus.com/bid/70927 Third Party Advisory,VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/98512 Third Party Advisory,VDB Entry
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2014-005_softring_backdoor_account.txt Exploit,Third Party Advisory
http://packetstormsecurity.com/files/128976/Softing-FG-100-PB-Hardcoded-Backdoor.html Exploit,Third Party Advisory,VDB Entry
http://www.securityfocus.com/archive/1/533902/100/0/threaded
http://www.securityfocus.com/bid/70927 Third Party Advisory,VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/98512 Third Party Advisory,VDB Entry
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2014-005_softring_backdoor_account.txt Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-6617, you might also want to check these: