AVTech Multiple Vulnerabilities

Critical Nessus Plugin ID 104102

Synopsis

The remote AVTech device is affected by mulitple vulnerabilities

Description

The remote AVTech device is affected by multiple vulnerabilties.
Depending on the firmware version the vulnerabilities may include:

- All user passwords are stored in cleartext

- The web interface does not use CSRF protections

- An attacker is able to perform arbitrary HTTP requests through the device without authentication

- An unauthenticated remote user can execute arbitrary system commands by sending a crafted HTTP request to Search.cgi

- An unauthenticated remote user can bypass authentication by sending a crafted HTTP request

- An unauthenticated remote user can download any file from the web root by sending a crafted HTTP request

- An authenticated user can execute arbitrary system commands by sending a crafted HTTP GET request to CloudSetup.cgi, adcommand.cgi, or PwdGrp.cgi

These vulnerabilities have been used by the IoT Reaper botnet.

Solution

At time of publication, AVTech had not yet released patches. Users should take precautions to ensure affected devices are not exposed to the internet and that the devices are properly isolated on the local network.

See Also

https://github.com/Trietptm-on-Security/AVTECH

http://www.search-lab.hu/media/vulnerability_matrix.txt

http://www.nessus.org/u?197042fe

Plugin Details

Severity: Critical

ID: 104102

File Name: avtech_unrestricted_download.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 2017/10/23

Modified: 2018/06/14

Dependencies: 104103

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 9.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:U/RC:ND

CVSSv3

Base Score: 10

Temporal Score: 9.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:X

Vulnerability Information

Required KB Items: installed_sw/AVTech

Vulnerability Publication Date: 2017/10/11