CVE-2015-8362
📋 TL;DR
This vulnerability involves a hardcoded password for the 'BlackWidow' administrative account in Harman AMX devices, allowing remote attackers to gain unauthorized access via SSH or HTTP sessions. It affects AMX devices with firmware versions before October 12, 2015, potentially compromising entire control systems.
💻 Affected Systems
- Harman AMX devices (various models)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover allowing attackers to manipulate building automation, security systems, and industrial controls, potentially causing physical damage or safety hazards.
Likely Case
Unauthorized access to control systems enabling surveillance, data theft, or disruption of automated processes in commercial/industrial environments.
If Mitigated
Limited impact if network segmentation and access controls prevent external access to vulnerable devices.
🎯 Exploit Status
Simple credential-based attack using documented hardcoded credentials. No special tools required beyond SSH/HTTP client.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions from 2015-10-12 onward
Vendor Advisory: http://www.amx.com/techcenter/NXSecurityBrief/
Restart Required: Yes
Instructions:
1. Download latest firmware from AMX Tech Center. 2. Backup current configuration. 3. Upload and install firmware update via web interface or serial connection. 4. Reboot device. 5. Verify BlackWidow account is removed.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict SSH and HTTP access to AMX devices using firewall rules
iptables -A INPUT -p tcp --dport 22 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP
Account Monitoring
linuxMonitor for BlackWidow account login attempts
grep 'BlackWidow' /var/log/auth.log
grep 'Failed password' /var/log/auth.log | grep -E '(22|80)'
🧯 If You Can't Patch
- Isolate AMX devices on separate VLAN with strict firewall rules blocking all unnecessary ports
- Implement network monitoring to detect SSH/HTTP connections to AMX devices and alert on BlackWidow account usage
🔍 How to Verify
Check if Vulnerable:
Attempt SSH login with username 'BlackWidow' and known hardcoded password (documented in security advisories). If successful, device is vulnerable.Check Version:
ssh admin@device_ip 'cat /etc/version' or check via web interface at http://device_ipVerify Fix Applied:
Attempt SSH login with BlackWidow credentials - should fail. Check firmware version is 2015-10-12 or later via web interface or SSH with legitimate credentials.📡 Detection & Monitoring
Log Indicators:
- SSH login attempts for 'BlackWidow' user
- HTTP requests with BlackWidow credentials in authentication headers
- Unusual administrative activity from unknown IPs
Network Indicators:
- SSH connections to AMX devices from unexpected sources
- HTTP traffic to AMX web interfaces with authentication attempts
SIEM Query:
source="auth.log" AND "BlackWidow" OR (source="firewall" AND dest_port IN (22,80) AND dest_ip IN (amx_device_ips))🔗 References
- http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html
- http://seclists.org/fulldisclosure/2016/Jan/63
- http://www.amx.com/techcenter/NXSecurityBrief/
- http://www.amx.com/techcenter/firmware.asp?Category=Hot%20Fix%20Files
- http://www.securityfocus.com/archive/1/537343/100/0/threaded
- http://www.securityfocus.com/bid/81545
- https://ics-cert.us-cert.gov/advisories/ICSA-16-049-02
- https://www.kb.cert.org/vuls/id/992624
- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160121-0_AMX_Deliberately_hidden_backdoor_account_v10.txt
- http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html
- http://seclists.org/fulldisclosure/2016/Jan/63
- http://www.amx.com/techcenter/NXSecurityBrief/
- http://www.amx.com/techcenter/firmware.asp?Category=Hot%20Fix%20Files
- http://www.securityfocus.com/archive/1/537343/100/0/threaded
- http://www.securityfocus.com/bid/81545
- https://ics-cert.us-cert.gov/advisories/ICSA-16-049-02
- https://www.kb.cert.org/vuls/id/992624
- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160121-0_AMX_Deliberately_hidden_backdoor_account_v10.txt
