******************************************************************************* % Advisory Name: RoomWizard Default Password and Sync Connector Credential Leak % Date: 2010-08-16 % Appliance/SW: RoomWizard Web-based room scheduling system % Versions: Tested on Firmware 3.2.3 (Model RW10) % Author: Sean Lam < seansec (at) live (d0t) com > % Vendor Status: Vendor Contacted % CVE Candidate: CVE-2010-0214 % Reference: n/a ******************************************************************************* % Vulnerability Overview ************************ The RoomWizard Web based scheduling system with touch screen display uses a default password: "roomwizard" which would allow remote attackers to obtain console access at http://DeviceIP:80 Various configuration items can be tampered with once authenticated. Additionally, a GET request on http://DeviceIP:80/admin/sign/DeviceSynch will result in a leakage of the Sync Connector username and password on two input boxes (password masked via type = password): .....type="text" name="connectorusername" value="DOMAIN/DOMAINID"></td> .....type="password" name="connectorpassword" value="DOMAINIDPASS"></td> % Vendor Response & Timeline **************************** 2010-08-17 CERT/CC contacted for CVE Identifier Resvn (CVE-2010-0214) CERT/CC Vuln Tracking number VU#870601 2010-08-18 Vulnerability reported to CERT/CC and escalated to vendor 2010-12-21 CERT/CC informs vendor has fixed issue with latest patch % Recommendations ************************ Apply latest patch released by vendor