Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28605: hardcoded on LinkPlay app

LinkPlay Sound Bar v1.0 allows attackers to escalate privileges via a hardcoded password for the SSL certificate.

CVE
#vulnerability#web#ios#android#google#rce#wifi#ssl

From: Lifeng Zhao [email protected] Sent: Sunday, December 12, 2021 5:03 PM To: Hidden Subject: Re: Security Vulnerability *** The Answer *** Hi Ohana, Thank you very much for your detailed report on the security vulnerability. It’s super helpful and important to us. We’ll take the immediate action to fix this. Thank you again for your great support. Best, Lifeng From: Hidden Date: 2021-12-12 21:24 To: [email protected] Subject: Security Vulnerability *** The vulnerability *** Bug Type: Hard-coded secret key Impact: RCE, Supply chain attack Platforms: IOS + Android applications Our lab team has reviewed your product from a security perspective and noticed a few security issues that you should be aware of (technical details provided below). It is important to note that CyberArk Labs follow the security industry standard disclosure policy. We allow 90 days for the issues to be fixed/patched/mitigated. CyberArk Labs reserves the right to publicly disclose all information about the issues after this timeframe. We would be happy to share any additional information and to cooperate with you in mitigating the issue in a timely fashion. Summary: We can access an admin user in the Artifactory JFrog system, through which you can manage all the code of the applications and change it. As a result, we can change the application code across multiple tenants, ending with full RCE over every app. It is important to note, however, that both Android and IOS applications suffer from these vulnerabilities In details: We found the API key for admin and the password of the SSL client certificate have been hardcoded and stored on the application SoundBar (com.wifiaudio.Yamaha). To exploit this, you can add the API key to each request sent to the server. 1.Within the SoundBar application, we found the password of certificate_new_encrypted.p12 SSL certificate file. Using this certificate, we can communicate with the Soundbar device on port 443. Besides that, we found that the file is encoded with the XOR operator with the number 2. Therefore, it is simple to overcome the encoding. As a result, we can communicate with HTTPS requests with the device. 2. Also, we found that the application sends logs to the URL https://log.linkplay.com:8081/artifactory/Android/logs with the header "X-JFrog-Art-Api, and the API key AKCp5bB…. We discovered this API key is the key of the admin user in the system. This is a major security concern because every malicious user can access the JFrog artifactory with full admin access. In other words, a malicious user can corrupt the repository and cause clients to download malicious applications. 3.Moreover, we noticed that the JFROG version (6.2.0) is not up-to-date. The latest version is (7.10.2). Thus, it is vulnerable to the following CVEs: 1. CVE-2020-7931 2. From the frog website Lastly, we found the vulnerability (the admin API key) in many applications. Below are some links to several apps: ·https://play.google.com/store/apps/details?id=com.medion.speaker ·https://play.google.com/store/apps/details?id=com.wifiaudio.Yamaha ·https://play.google.com/store/apps/details?id=com.wifiaudio.triangle ·https://play.google.com/store/apps/details?id=com.wifiaudio.cavalier ·https://play.google.com/store/apps/details?id=com.wifiaudio.jam ·https://play.google.com/store/apps/details?id=com.wifiaudio.FABRIQ ·https://play.google.com/store/apps/details?id=com.zoundindustries.marshallvoice ·https://play.google.com/store/apps/details?id=com.dpiinc.ISBWV418B ·https://play.google.com/store/apps/details?id=com.ihome.ama ·https://play.google.com/store/apps/details?id=com.wifiaudio.iHome ·https://play.google.com/store/apps/details?id=com.wifiaudio.Creative

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907