Vulnerability Note VU#544527
OpenELEC and RasPlex have a hard-coded SSH root password
OpenELEC and derivatives utilize a hard-coded default root password, and enable SSH root access by default.
CWE-259: Use of Hard-coded Password
OpenELEC has a hard-coded root password. The root partition is by default read-only, preventing a user from changing the password once installed; furthermore, SSH access is enabled by default.
A remote attacker may gain root access to the device.
The CERT/CC is currently unaware of a full solution to this issue. Affected users may consider the following mitigations:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|OpenELEC||Affected||-||29 Jan 2016|
|RasPlex||Affected||-||29 Jan 2016|
CVSS Metrics (Learn More)
Thanks to Aidan Samuel for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: Unknown
- Date Public: 02 Feb 2016
- Date First Published: 02 Feb 2016
- Date Last Updated: 02 Feb 2016
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.