Use of hard-coded credentials in Cynap - #VU19123

 

Use of hard-coded credentials in Cynap - #VU19123

Published: July 10, 2019 / Updated: July 15, 2019


Vulnerability identifier: #VU19123
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: N/A
CWE-ID: CWE-798
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: WolfVision
Affected software:
Cynap

Detailed vulnerability description

The vulnerability allows a remote attacker to gain full access to vulnerable device.

The vulnerability exists due to the device uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature. A remote attacker with knowledge of this static secret and corresponding algorithm for calculating support PINs can reset password of the administrator account and gain unauthorized access to the affected device.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable device.


Remediation

Install updates from vendor's website.

Sources