Description:
On March 9th 2019 I disclosed a vulnerability in the Room Alert 3E v2.2.3 and v2.2.4 firmware to the security team at AVtech. The vulnerability allows an attacker full access to the device when exploited. Having given them 90 days to remediate the issue I am now disclosing my findings here so that companies may better protect themselves from possible attacks. (update) you may now reference this vulnerability by its CVE 2019-13379
Please note I have only tested this on systems I owned with firmware versions v2.2.3 and v2.2.4 although it is likely more firmware versions and devices are vulnerable.
POC:
Full authentication bypass can be achieved by sending a request to this address http://Localhost/cmd.cgi?action=ResetDefaults&src=RA This initiates a reset of the device remotely which subsequently allows someone to login using the default device credentials while also causing a short denial of service.
Remediation:
My recommendation would be to update your firmware to version 2.2.5. This version was released on May 23 2019 to address this issue. Although I no longer have access to a device to confirm this resolved the vulnerability. Also please for the love of God take your devices off the internet they are all one curl away from useless.
If anyone has access to one of these devices and would like to help me validate the new firmware fixed the problem please contact me at JordonLovik@gmail.com.
One Pingback