The following advisory describes three (3) vulnerabilities found in the following vendors:
The vulnerabilities found:
- Hard-coded credentials
- Remote command injection (2)
It is possible to chain the vulnerabilities and to achieve unauthenticated remote command execution.
An independent security researcher, Robert Kugler (https://www.s3cur3.it), has reported this vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program.
We tried to contact Lorex, Kraun and Eminent, attempts to establish contact went unanswered, therefore no details have been provided on a solution or a workaround.
StarVedia were informed of the vulnerabilities and released patches to address them – “These two issues were fixed before your contacting us”
Continue reading SSD Advisory – Multiple IoT Vendors – Multiple Vulnerabilities