Information disclosure in HD838 and HD438IR

#VU31894 Information disclosure in HD838 and HD438IR

Published: 2020-07-27

Vulnerability identifier: #VU31894

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11625

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HD838
Hardware solutions / Security hardware applicances
HD438IR
Hardware solutions / Security hardware applicances

Vendor: AvertX

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to failed web UI login attempts that elicit different responses depending on whether a user account exists. A remote attacker can enumerate legitimate usernames.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

HD838: All versions

HD438IR: All versions

External links
http://unit42.paloaltonetworks.com/avertx-ip-cameras-vulnerabilities/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in AvertX HD838 and HD438IR cameras