CVE-2024-40892 PoC — Firewalla BTLE Weak Credentials

Source

Associated Vulnerability

Title:Firewalla BTLE Weak Credentials (CVE-2024-40892)
Description:A weak credential vulnerability exists in Firewalla Box Software versions before 1.979. This vulnerability allows a physically close attacker to use the license UUID for authentication and provision SSH credentials over the Bluetooth Low-Energy (BTLE) interface. Once an attacker gains access to the LAN, they could log into the SSH interface using the provisioned credentials. The license UUID can be acquired through plain-text Bluetooth sniffing, reading the QR code on the bottom of the device, or brute-forcing the UUID (though this is less likely).

Description

Proof of Concept code for interaction with Firewalla via Bluetooth Low-Energy and exploitation of CVE-2024-40892 / CVE-2024-40893

Readme

# fwbt

Writeup: https://www.labs.greynoise.io/grimoire/2024-08-20-bluuid-firewalla/

Proof of Concept code for interaction with Firewalla via Bluetooth Low-Energy and exploitation of CVE-2024-40892 / CVE-2024-40893

Without any configuration it will scan for Firewalla's in local proximity and leak the checksum of the License UUID.

If License UUID is obtained, it can be defined at `var myLicense = ""` in `main.go` at which point:

1. A local backup of the device configuration will be made.
2. If the device configuration is already backed up:
3. Generate root SSH credentials (CVE-2024-40892)
4. Exploit 3 command injection vulnerabilites (CVE-2024-40893)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!