Main Vulnerability Database Vulnerabilities #VU31018

Use of hard-coded credentials in Cynap - CVE-2019-13352

Published: July 5, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU31018

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-13352

CWE-ID: CWE-798

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: WolfVision

Affected software:
Cynap

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature. By knowing this static secret and the corresponding algorithm for calculating support PINs, an attacker can reset the ADMIN password and thus gain remote access.

How to mitigate CVE-2019-13352

Install update from vendor's website.

Sources

http://packetstormsecurity.com/files/153530/WolfVision-Cynap-1.18g-1.28j-Hardcoded-Credential.html
http://seclists.org/fulldisclosure/2019/Jul/9
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-021.txt

Use of hard-coded credentials in Cynap - CVE-2019-13352

Detailed vulnerability description

How to mitigate CVE-2019-13352

Sources

Please verify you're human