Vulnerability CVE-2020-28331


Published: 2020-11-24

Description:
Barco wePresent WiPG-1600W devices have Improper Access Control. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W device has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.

See advisories in our WLB2 database:
Topic
Author
Date
High
Barco wePresent Global Hardcoded Root SSH Password
Jim Becher
21.11.2020
Med.
Barco wePresent Undocumented SSH Interface
Jim Becher
21.11.2020
Med.
Barco wePresent Insecure Firmware Image
Matthew Bergin
21.11.2020

Type:

CWE-798

 References:
http://packetstormsecurity.com/files/160162/Barco-wePresent-Undocumented-SSH-Interface.html
https://korelogic.com/Resources/Advisories/KL-001-2020-007.txt

Copyright 2020, cxsecurity.com

 

Back to Top