The Discovery, Disclosure, and Investigation of CVE-2024-25825

TL;DR

This paper details the discovery, disclosure, and investigation of a critical default credential vulnerability in FydeOS, exploring its potential links to nation state actors and emphasizing responsible disclosure practices.

Contribution

It provides a detailed case study of vulnerability discovery, disclosure process, and investigation into potential malicious origins, highlighting best practices and challenges.

Findings

Vulnerability involves default credentials in /etc/shadow

FydeOS was already aware of the vulnerability

No evidence of malicious intent by a nation state actor

Abstract

CVE-2024-25825 is a vulnerability found in FydeOS. This thesis describes its discovery, disclosure, and its further investigation in connection to a nation state actor. The vulnerability is CWE-1392: Use of Default Credentials, CWE-1393: Use of Default Password, and CWE-258: Empty Password in Configuration File found in the /etc/shadow configuration file. The root users entry in the /etc/shadow file contains a wildcard allowing entry with any, or no, password. Following responsable disclosure, Fyde, CISA, and Mitre were informed. Fyde was already aware of the vulnerability. There was concern that this vulnerability might have been purposefully placed, perhaps by a nation state actor. After further investigation, it appears that this is unlikely to be the case. In cases in which poisoned code is suspected it might be prudent to contact the appropriate CERT, rather than the parent company. This, however, clashes with the typical teaching of responsable disclosure.