CVE-2018-11629 – CVE-2018-11629 involves hardcoded credentials (... (How to Fix)

Q: What is the severity of CVE-2018-11629?

CVE-2018-11629 has a CVSS score of 9.8 (CRITICAL). CVE-2018-11629 involves hardcoded credentials (user:lutron, password:integration) in Lutron HomeWorks QS systems that allow attackers to gain administrative control through Telnet. This affects IoT lighting control systems using the Lutron integration protocol from Revision M to Revision Y. The vendor disputes the severity, claiming the access only allows lighting control rather than arbitrary code execution.

📋 TL;DR

CVE-2018-11629 involves hardcoded credentials (user:lutron, password:integration) in Lutron HomeWorks QS systems that allow attackers to gain administrative control through Telnet. This affects IoT lighting control systems using the Lutron integration protocol from Revision M to Revision Y. The vendor disputes the severity, claiming the access only allows lighting control rather than arbitrary code execution.

💻 Affected Systems

Products:

Lutron HomeWorks QS lighting control systems

Versions: Revision M through Revision Y of Lutron integration protocol

Operating Systems: Embedded systems in Lutron controllers

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Telnet service enabled and using the vulnerable protocol revisions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain complete control over lighting systems, potentially causing physical damage, safety hazards, or disruption to critical infrastructure operations.

🟠

Likely Case

Unauthorized users manipulate lighting systems, create nuisance conditions, or disrupt building automation functions.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing Telnet access from untrusted networks.

🌐 Internet-Facing: HIGH if Telnet ports are exposed to the internet, as credentials are hardcoded and widely known.

🏢 Internal Only: MEDIUM if accessible on internal networks, allowing lateral movement or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only Telnet access and the known credentials. Multiple public references demonstrate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified by vendor

Vendor Advisory: http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf

Restart Required: No

Instructions:

No official patch available. Vendor recommends disabling Telnet service and using secure alternatives.

🔧 Temporary Workarounds

Disable Telnet Service

all

Completely disable Telnet service on affected Lutron controllers to prevent credential-based access.

Specific commands vary by Lutron controller model. Consult Lutron documentation for disabling Telnet.

Network Segmentation

all

Isolate Lutron controllers on separate VLANs with strict firewall rules blocking Telnet (port 23) from untrusted networks.

🧯 If You Can't Patch

Implement strict network access controls allowing only trusted management stations to access Telnet ports
Monitor Telnet authentication attempts and block IPs attempting to use the hardcoded credentials

🔍 How to Verify

Check if Vulnerable:

Attempt Telnet connection to port 23 of Lutron controller using credentials 'lutron:integration'. Successful login indicates vulnerability.

Check Version:

Check Lutron controller documentation or web interface for protocol revision information.

Verify Fix Applied:

Verify Telnet service is disabled or inaccessible. Test that 'lutron:integration' credentials no longer grant access.

📡 Detection & Monitoring

Log Indicators:

Failed or successful Telnet authentication attempts
Multiple Telnet connection attempts from unusual sources

Network Indicators:

Telnet traffic (port 23) to Lutron controllers
Traffic patterns matching known exploit sequences

SIEM Query:

source_ip=* AND destination_port=23 AND (event_description="authentication success" OR event_description="login")

📊 Metadata

CVE ID: CVE-2018-11629

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: June 2, 2018

Last Updated: November 21, 2024

🔗 References

http://sadfud.me/explotos/CVE-2018-11629 Third Party Advisory
http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf
https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/ Mitigation,Third Party Advisory
http://sadfud.me/explotos/CVE-2018-11629 Third Party Advisory
http://www.lutron.com/TechnicalDocumentLibrary/040249.pdf
https://reversecodes.wordpress.com/2018/06/02/0-day-tomando-el-control-de-las-instalaciones-de-la-nasa-en-cabo-canaveral/ Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-11629, you might also want to check these: