CVE-2022-24693 – CVE-2022-24693 allows remote attackers to gain ... (How to Fix)

Q: What is the severity of CVE-2022-24693?

CVE-2022-24693 has a CVSS score of 9.8 (CRITICAL). CVE-2022-24693 allows remote attackers to gain SSH access to Baicells Nova436Q and Neutrino 430 cellular base station devices using hardcoded credentials embedded in the firmware. This affects all devices running firmware versions up to QRTB 2.7.8. Attackers can fully compromise these devices and potentially pivot to connected networks.

📋 TL;DR

CVE-2022-24693 allows remote attackers to gain SSH access to Baicells Nova436Q and Neutrino 430 cellular base station devices using hardcoded credentials embedded in the firmware. This affects all devices running firmware versions up to QRTB 2.7.8. Attackers can fully compromise these devices and potentially pivot to connected networks.

💻 Affected Systems

Products:

Baicells Nova436Q
Baicells Neutrino 430

Versions: Firmware through QRTB 2.7.8

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with default firmware configurations are vulnerable. The hardcoded credentials are encrypted with the crypt function but are easily discoverable.

📦 What is this software?

Neutrino 430 Firmware by Baicells

View all CVEs affecting Neutrino 430 Firmware →

Nova436q Firmware by Baicells

View all CVEs affecting Nova436q Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network pivoting, data interception, service disruption, and potential use as a foothold for broader attacks on connected infrastructure.

🟠

Likely Case

Unauthorized SSH access allowing configuration changes, firmware modification, credential harvesting, and device repurposing for malicious activities.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict SSH access controls and network segmentation, though the hardcoded credentials remain a persistent risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only SSH access to the device using the hardcoded credentials. Public proof-of-concept code is available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after QRTB 2.7.8

Vendor Advisory: https://img.baicells.com/Upload/20210909/FILE/98d2752f-6e83-49b1-9dab-d291e9023db6.pdf

Restart Required: Yes

Instructions:

1. Download latest firmware from Baicells support portal. 2. Upload firmware to device management interface. 3. Apply firmware update. 4. Reboot device. 5. Verify new firmware version.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict SSH access to trusted IP addresses only using firewall rules.

iptables -A INPUT -p tcp --dport 22 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

SSH Configuration Hardening

linux

Disable SSH root login and password authentication, enforce key-based authentication.

sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

🧯 If You Can't Patch

Isolate affected devices in a dedicated VLAN with strict egress filtering
Implement network monitoring for SSH authentication attempts and block suspicious IPs

🔍 How to Verify

Check if Vulnerable:

Attempt SSH login using known hardcoded credentials (publicly disclosed in PoC) or check firmware version against vulnerable range.

Check Version:

cat /etc/version or check via device management interface

Verify Fix Applied:

Verify firmware version is newer than QRTB 2.7.8 and attempt SSH login with hardcoded credentials should fail.

📡 Detection & Monitoring

Log Indicators:

Failed SSH authentication attempts from unexpected sources
Successful SSH logins from non-admin IP addresses
Configuration changes without authorized change tickets

Network Indicators:

SSH connections to device management interfaces from external networks
Unusual outbound traffic from base station devices

SIEM Query:

source="ssh.log" (event="Accepted password" OR event="Failed password") AND (user="root" OR user="admin") AND dest_ip="DEVICE_IP"

📊 Metadata

CVE ID: CVE-2022-24693

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: March 30, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/lukejenkins/CVE-2022-24693 Third Party Advisory
https://img.baicells.com/Upload/20210909/FILE/98d2752f-6e83-49b1-9dab-d291e9023db6.pdf Release Notes,Third Party Advisory
https://na.baicells.com/Service/Firmware Vendor Advisory
https://github.com/lukejenkins/CVE-2022-24693 Third Party Advisory
https://img.baicells.com/Upload/20210909/FILE/98d2752f-6e83-49b1-9dab-d291e9023db6.pdf Release Notes,Third Party Advisory
https://na.baicells.com/Service/Firmware Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24693, you might also want to check these: