Authentication bypass in Datalogic AV7000 Linear Barcode Scanner



Published: 2019-08-28
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-13526
CWE-ID CWE-288
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe
AV7000 Linear Barcode Scanner
Hardware solutions / Firmware

Vendor Datalogic

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Authentication bypass using an alternate path or channel

EUVDB-ID: #VU20419

Risk: Medium

CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13526

CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exist due to improper implementation of the authentication process. A remote authenticated attacker can bypass authentication through issues in the HTTP authentication process and execute arbitrary code on the target device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

AV7000 Linear Barcode Scanner: before 4.6.0.0

External links

http://ics-cert.us-cert.gov/advisories/icsa-19-239-02


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###