SB2020030412 - Multiple vulnerabilities in TONNET TAT-76 and TAT-77 series of products
Published: March 4, 2020
Security Bulletin ID
SB2020030412
Severity
High
Patch available
NO
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2020-3923)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to misconfigured authentication mechanism in DVR firmware. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
2) Command Injection (CVE-ID: CVE-2020-3924)
The vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to the DVR firmware does not properly verify patch files. A remote attacker can inject a specific command into a patch file and gain access to the system.Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.