Mitigation details for a hard-coded password vulnerability that impacts the 360 Systems’ Image Server 2000 series devices are now available, according to a report on ICS-CERT.
Exploitation of this vulnerability, discovered by independent researchers Neil Smith and Ryan Green, could cause loss of integrity.
360 Systems has not released a patch, new version, or firmware upgrade to fix this issue, but recommends mitigating this vulnerability by removing the device from any public-facing networks.
This remotely exploitable vulnerability has an impact on the communications and emergency services sectors.
The following 360 Systems product versions suffer from the issue:
• Image server 2000 (all models),
• Image Server Maxx (all models), and
• Maxx (all models)
With the ability to log into the image server with root privileges, an attacker could modify or upload video and schedule it to play immediately or at a future time.
This vulnerability could also impact the emergency broadcast system in the United States.
360 Systems is a U.S.-based company that sells products in different countries around the world, including Asia, Latin America, Africa, and North America.
The affected products are video servers used in broadcasting and emergency services. According to 360 Systems the Image Server 2000 series devices connect into local and network broadcast stations. 360 Systems estimates that over 3,000 broadcasters use these systems.
The 360 Systems image server series contains a root user installed by default by the factory and set with a default password. An attacker can log into the device through Port 22/TCP using the root credential and hardcoded password with root privileges.
The catch is the user cannot change this password, nor can he remove the root user account. CVE-2012-4702 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
No known public exploits specifically target this vulnerability, but an attacker with a low skill would be able to exploit this vulnerability.
In addition to the mitigation details, the vendor also recommends the use of properly configured firewalls to restrict access to only necessary ports and the use of Virtual Private Networks if access is required. For more information on proper setup of this device, users should contact 360 Systems’ customer service department.
The operations manuals for each of these devices states: “The server is designed to be used in a private dedicated video network. A firewall must be used in systems that require internal security or connection to public networks. Consult with a network security specialist for guidance on the best hardware, programming and practices for your facility’s requirements.”