The first vulnerability, identified by the CVE-2024-13892, concerns inadequate sanitization of special characters in commands, allowing for command injection attacks. During the device initialization process, users must utilize a mobile application to provide access point credentials. However, the input is not properly sanitized, leading to potential exposure to command injection, which could allow malicious actors to execute arbitrary commands on the device.
The second vulnerability, labeled CVE-2024-13893, revolves around the usage of default credentials. The affected devices employ the same password for Telnet service, which raises significant security concerns. The password’s hashed version can be retrieved through physical access to the device’s SPI-connected memory. For Telnet to be enabled, a specific folder name must be present on the inserted SD card. However, details regarding the range of affected devices or firmware groupings sharing the same password remain unverified, as Averos has not responded to CERT’s inquiries.
Lastly, CVE-2024-13894 highlights the inadequate restriction of access directories, allowing for potential path traversal attacks. When connected to a mobile application, the devices open port 10000, enabling users to download images captured at specific times by entering file paths. Unfortunately, the access restrictions are not properly enforced, permitting attackers to exploit this flaw and access sensitive information residing in restricted directories.
Despite CERT Polska’s efforts to coordinate the disclosure of these vulnerabilities, there has been no confirmation or response from Averos regarding patches or fixes. The potential for newer firmware versions to remain vulnerable is a lingering concern, as well as the possibility of other products that utilize similar firmware also being affected.
This disclosure emphasizes the need for manufacturers to prioritize security in their product cycles, especially in devices that can easily be connected to external networks and accessed physically. The successful exploitation of these vulnerabilities may lead to serious repercussions, not just for the end users but also for the reputation of the manufacturers involved.
Thank you to Michał Majchrowicz and Marcin Wyczechowski from the Afine team for responsibly reporting these vulnerabilities. More details regarding vulnerable disclosure processes can be found on CERT Polska’s website.
As the awareness and understanding of cybersecurity risks grow, it is crucial for companies to address any vulnerabilities swiftly and transparently, enabling users to maintain trust in their devices and services. The cybersecurity community continues to emphasize the importance of both patch management and responsible vulnerability disclosure practices in upholding safe and secure digital environments.
Enlace de la fuente, haz clic para tener más información