RoomAlert by AVTech Critical Vulnerability Disclosure

Description:

On March 9th 2019 I disclosed a vulnerability in the Room Alert 3E v2.2.3 and v2.2.4 firmware to the security team at AVtech. The vulnerability allows an attacker full access to the device when exploited. Having given them 90 days to remediate the issue I am now disclosing my findings here so that companies may better protect themselves from possible attacks. (update) you may now reference this vulnerability by its CVE 2019-13379 

Please note I have only tested this on systems I owned with firmware versions v2.2.3 and v2.2.4 although it is likely more firmware versions and devices are vulnerable.

POC:

Full authentication bypass can be achieved by sending a request to this address http://Localhost/cmd.cgi?action=ResetDefaults&src=RA This initiates a reset of the device remotely which subsequently allows someone to login using the default device credentials while also causing a short denial of service.

Remediation:

My recommendation would be to update your firmware to version 2.2.5. This version was released on May 23 2019 to address this issue. Although I no longer have access to a device to confirm this resolved the vulnerability. Also please for the love of God take your devices off the internet they are all one curl away from useless.

Shodan Search

 

If anyone has access to one of these devices and would like to help me validate the new firmware fixed the problem please contact me at JordonLovik@gmail.com.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: