THE DISCOVERY, DISCLOSURE, AND INVESTIGATION OF CVE-2024-25825

Author

Hunter Chasens

Date of Award

2024

Document Type

Thesis

Degree Name

Bachelors

Department

Natural Sciences

First Advisor

Gillman, David

Area of Concentration

Computer Science

Abstract

CVE-2024-25825 is a vulnerability found in FydeOS. This thesis describes its discovery, disclosure, and its further investigation in connection to a nation state actor. The vulnerability is CWE-1392: Use of Default Credentials, CWE-1393: Use of Default Password, and CWE-258: Empty Password in Configuration File found in the /etc/shadow configuration file. The root user’s entry in the /etc/shadow file contains a wildcard allowing entry with any, or no, password. Following responsable disclosure, Fyde, CISA, and Mitre were informed. Fyde was already aware of the vulnerability. There was concern that this vulnerability might have been purposefully placed, perhaps by a nation state actor. After further investigation, it apears that this is unlikely to be the case. In cases in which poisoned code is suspected it might be prudent to contact the appropriate CERT, rather than the parent company. This, however, clashes with the typical teaching of responsable disclosure.

Recommended Citation

Chasens, Hunter, "THE DISCOVERY, DISCLOSURE, AND INVESTIGATION OF CVE-2024-25825" (2024). Theses & ETDs. 6628.
https://digitalcommons.ncf.edu/theses_etds/6628