An upgrade account is included in the IoT Controller OVA that provides the vendor undocumented access via Secure Copy (SCP).
f6519f57eed331c93ca5644c3a83e240cb6fe2ee50133663e8ee3dad642af551The IoT Controller web application includes a NodeJS module, node-red, which has the capability for users to read or write to local files on the IoT Controller. With the elevated privileges the web application runs as, this allowed for reading and writing to any file on the IoT Controller filesystem.
ab0f31561d42610f5ba5969c33fa30d3f807865c8f1eaac846a5b376b04319c7A Python script (web.py) for a Dockerized webservice contains a directory traversal vulnerability, which can be leveraged by an authenticated attacker to view the contents of directories on the IoT Controller.
671f09dc7253e2fd4b96a2bd934c4db733ea5c114369ba82a1d81b35d72836f3An undocumented, administrative-level, hard-coded web application account exists in the IoT Controller OVA which cannot be changed by the customer.
2486beac57efb14715dc2756e1ddce5fd0beb0268fa52ef3547894a1a7be04a5Hard-coded, system-level credentials exist on the Ruckus IoT Controller OVA image, and are exposed to attackers who mount the filesystem.
df1716ceee1afc4991054f7d3e009a901d7b28289e89a2bebb461c0a64b3b1d9API keys for CommScope Ruckus are included in the IoT Controller OVA image, and are exposed to attackers who mount the filesystem.
b4f5b79b878528d1365915db1dfcf08d2ea164bfda75ebc9baab1499e553cb33Three API endpoints for the IoT Controller are accessible without authentication. Two of the endpoints result in information leakage and consumption of computing/storage resources. The third API endpoint that does not require authentication allows for a factory reset of the IoT Controller.
a8546049f222180c6bd593bbd28ea7a598ba7bbcd08ac8c48b4f8ac76357ba7cBarco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have firmware that does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.
ce155e50978552faf0e472116a9c5ce4f975a3420fd6632369708f93d1554c2aBarco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have a hardcoded root password hash included in the firmware image.
75cc1a2f773099f090db6e25b10a5322af43049d1ef7d2035e513c189b3011edBarco wePresent WiPG-1600W version 2.5.1.8 has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.
a366665beb0a2a41a9a77ce23a19d8837b9d6bfef4a80c4bbf011cf9589c7bc4The Barco wePresent WiPG-1600W version 2.5.1.8 web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.
77ed3fcf16f9ea1209c2673adba8c737e13b77a283c9ea2dfab06836d2aa7ddeAn attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp for Barco wePresent WiPG-1600W version 2.5.1.8.
d17ea5576bc764da9307b56d3e500fe6c4d6a46a6d607ac07eeebd256034d86cBarco wePresent device firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Versions affected include 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19.
22801e1943167d9cae8f39b9e75645ceb62540439a7d2d3cf58ea0fee603d235
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed