-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2020-008 : Barco wePresent Global Hardcoded Root SSH Password Title: Barco wePresent Global Hardcoded Root SSH Password Advisory ID: KL-001-2020-008 Publication Date: 2020.11.20 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2020-008.txt 1. Vulnerability Details Affected Vendor: Barco Affected Product: wePresent WiPG-1600W Affected Version: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19 Platform: Embedded Linux CWE Classification: CWE-798: Use of Hard-coded Credentials CVE ID: CVE-2020-28334 2. Vulnerability Description The Barco wePresent device has a hardcoded root password hash included in the firmware image. To our knowledge the password hash has not been cracked and published; it is possible this could occur at any time. This combined with KL-001-2020-004 (CVE-2020-28329), KL-001-2020-005 (CVE-2020-28330), and KL-001-2020-007 (CVE-2020-28331) could be used in a simple and automated exploit chain to go from unauthenticated remote attacker to root shell. 3. Technical Description In looking at the unpacked firmware, a root hash was quickly identified in the /etc/shadow file on the device. It is the only account in the /etc/shadow. The device does not prompt the administrator to set a new root password, therefore this password is hardcoded and exists across all devices. 4. Mitigation and Remediation Recommendation The vendor has released an updated firmware (2.5.3.12) which remediates the described vulnerability. Firmware and release notes are available at: https://www.barco.com/en/support/software/R33050104 5. Credit This vulnerability was discovered by Jim Becher (@jimbecher) of KoreLogic, Inc. 6. Disclosure Timeline 2020.08.24 - KoreLogic submits vulnerability details to Barco. 2020.08.25 - Barco acknowledges receipt and the intention to investigate. 2020.09.21 - Barco notifies KoreLogic that this issue, along with several others reported by KoreLogic, will require more than the standard 45 business day remediation timeline. Barco requests to delay coordinated disclosure until 2020.12.11. 2020.09.23 - KoreLogic agrees to 2020.12.11 coordinated disclosure. 2020.09.25 - Barco informs KoreLogic of their intent to acquire CVE number for this vulnerability. 2020.11.09 - Barco shares CVE number with KoreLogic and announces their intention to release the updated firmware ahead of schedule, on 2020.11.11. Request that KoreLogic delay public disclosure until 2020.11.20. 2020.11.11 - Barco firmware release. 2020.11.20 - KoreLogic public disclosure. 7. Proof of Concept After unpacking the firmware: $ ls -al etc/shadow -rwxr-xr-x 1 user user 59 May 25 00:11 etc/shadow $ cat etc/shadow root:$1$reqE8o6b$[REDACTED]:12940:0:99999:7::: The contents of this advisory are copyright(c) 2020 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAl+4JqwaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/OUgRAAzvEIk8baZAnq8FCelz0c Yjq0j7BP6YuZW+6oIwoQz2EhR8ADq7EupHheT8gJtkBpLm37m+X3cb0Fz1/MVc5e 2KyXvsLrI3G1FnMrjFF8fg/soisEW1c7REuHYklO8vSqB1G4+RC2P0GLwN1oe1rm +gF6Z09LgIbM4jUGzO+H1+JQfiv4Tn3vzwrcCMKdBArBpbXBgCcIcH8IW1xcvBLc 1B2WUVSpRy2z2tEo1Zaa2mQ/raGjeGg19SYJimhU4OVOmzg3FOv2ohBpIXUqoHvd xViLdqrnc6AmFNtpaeEXfz9rXAqPyjwkiU+Ak/jrZplL8mfbWMkfRCQ1vI/tJcf0 MVQmuv9Y67KhdQUqFu8vwuevRZRc9t+26AfYJ1xvJsKE/l+6Y9pT2xmyKtRV+aFG Qs1Sdyq6mH73yaJV+4i1+0ZKoWXHLWlz76HRt2TALGJQarTXPOKnHfwke6/r3QCP BYdgx6CfAr9O686unBucCRVlnIkYaVeF/0O8xW2V+tylljKI6rxiuToBjAan76Hh qqy05zlwmLHdElfUmsUx8VM8bgINAiOhRktCLLaD+bWJbhZ+voFcmn5fy2ieBP2y TS3SXmm0NROs7ti2r9r8ocWl2GT9pOCa9XevNjCoYwNKSiDyzo3nDpycOzdsTjS2 Uiz7fTco616dNzs7WSaI4Xo= =p0XC -----END PGP SIGNATURE-----