Main Vulnerability Database Vulnerabilities #VU19123

#VU19123 Use of hard-coded credentials in Cynap

Published: July 10, 2019 / Updated: July 15, 2019

Vulnerability identifier: #VU19123

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: N/A

CWE-ID: CWE-798

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cynap

Software vendor:
WolfVision

Description

The vulnerability allows a remote attacker to gain full access to vulnerable device.

The vulnerability exists due to the device uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature. A remote attacker with knowledge of this static secret and corresponding algorithm for calculating support PINs can reset password of the administrator account and gain unauthorized access to the affected device.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable device.

Remediation

Install updates from vendor's website.

External links

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-021.txt

#VU19123 Use of hard-coded credentials in Cynap

Description

Remediation

External links

Please verify you're human