CVE-2021-41299
📋 TL;DR
ECOA BAS controllers contain hard-coded credentials in their Linux distribution image, allowing remote attackers to gain administrator privileges without authentication. This affects all systems running vulnerable ECOA BAS controller software. Attackers can completely compromise affected devices.
💻 Affected Systems
- ECOA BAS Controller
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to modify building automation controls, disable security systems, exfiltrate sensitive data, or use devices as pivot points into internal networks.
Likely Case
Attackers gain administrative access to building automation systems, potentially manipulating HVAC, lighting, security, or other critical building controls.
If Mitigated
With proper network segmentation and access controls, impact is limited to the BAS network segment only.
🎯 Exploit Status
Exploitation requires only knowledge of the hard-coded credentials and network access to the device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html
Restart Required: No
Instructions:
No official patch available. Contact ECOA for updated firmware or replacement devices without hard-coded credentials.
🔧 Temporary Workarounds
Change Default Credentials
linuxChange all default passwords and SSH keys on affected devices
passwd
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
systemctl restart sshd
Disable Remote Access
linuxDisable SSH and other remote management services if not required
systemctl disable sshd
systemctl stop sshd
iptables -A INPUT -p tcp --dport 22 -j DROP
🧯 If You Can't Patch
- Segment BAS controllers on isolated network VLANs with strict firewall rules
- Implement network access control (NAC) to restrict which devices can communicate with BAS controllers
🔍 How to Verify
Check if Vulnerable:
Attempt SSH login with known default credentials or check for hard-coded credentials in configuration filesCheck Version:
cat /etc/os-release || uname -aVerify Fix Applied:
Verify that default credentials no longer work and new credentials are required📡 Detection & Monitoring
Log Indicators:
- Failed SSH login attempts followed by successful login
- Authentication logs showing login with default credentials
- Unusual administrative activity from unexpected IP addresses
Network Indicators:
- SSH connections to BAS controllers from unauthorized networks
- Unusual outbound connections from BAS controllers
SIEM Query:
source="auth.log" AND "Accepted password" AND (user="root" OR user="admin") AND src_ip NOT IN [allowed_ips]