SB2020112101 - Multiple vulnerabilities in Barco wePresent WiPG-1600W

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Use of hard-coded credentials (CVE-ID: CVE-2020-28329)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code, which include hardcoded credentials for the API and hardcoded password in clear text. A remote unauthenticated attacker can access the affected system via port 4001/tcp using the hard-coded credentials.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Cleartext storage of sensitive information (CVE-ID: CVE-2020-28330)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to application stores credentials in plain text. A remote attacker can obtain administrator's password via API request (see vulnerability #1) and obtain the administrator's password in clear text.This password can be used to login via the admin interface on port 443/tcp.

3) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2020-28333)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the way firmware handles authenticated sessions. The session token is passed via the HTTP GET "SEID" parameter. A remote attacker can obtain the session token via browser's HTTP Referer header and gain unauthorized access to the device.

4) Improper access control (CVE-ID: CVE-2020-28331)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to presence of an undocumented SSH server on the device. A remote authenticated attacker can activate the SSH server to gain remote access to the device.

5) Use of hard-coded credentials (CVE-ID: CVE-2020-28334)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials for the root account. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Download of code without integrity check (CVE-ID: CVE-2020-28332)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and gain full control over the affected system after a successful software update.

Remediation

Install update from vendor's website.

References

• https://korelogic.com/Resources/Advisories/KL-001-2020-004.txt
• https://korelogic.com/Resources/Advisories/KL-001-2020-005.txt
• https://korelogic.com/Resources/Advisories/KL-001-2020-006.txt
• https://korelogic.com/Resources/Advisories/KL-001-2020-007.txt
• https://korelogic.com/Resources/Advisories/KL-001-2020-008.txt
• https://korelogic.com/Resources/Advisories/KL-001-2020-009.txt