SB2021081801 - Improper access control in ThroughTek Kalay P2P SDK
Published: August 18, 2021 Updated: August 18, 2021
Security Bulletin ID
SB2021081801
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper access control (CVE-ID: CVE-2021-28372)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions to gain access to sensitive information (such as camera feeds) and execute arbitrary code on the system.
This vulnerability affects the following versions of P2P Software Development Kit (SDK):
- SDK versions with the nossl tag
- Device firmware that does not use AuthKey for IOTC connection
- Device firmware using the AVAPI module without enabling DTLS mechanism
- Device firmware using P2PTunnel or RDT module
Remediation
Install update from vendor's website.
References
- https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html
- https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2021-0020/FEYE-2021-0020.md
- https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01