Security Advisory: SMTP Credential Pass-back

Allie Wojtanowski — Thu, 16 May 2024 16:50:55 +0000

May 16, 2024

CVE-2024-33471

Impacted Devices and Firmware:

Room Alert 4E, firmware 4.4.0 and earlier
Room Alert 3E, firmware 2.4.0 and earlier
Room Alert 12E, firmware 3.3.0 and earlier
Room Alert 32E, firmware 3.3.1 and earlier
Room Alert 3S, firmware 1.10.3 and earlier
Room Alert 12S, firmware 1.10.3 and earlier
Room Alert 32S, firmware 1.10.3 and earlier

Summary:

Changing the mail server within the device allows the configured credentials to be sent in plaintext to an attacker via credential pass-back attack.

Description:

An individual with administrative access can change the mail server host within the device. An attacker who has obtained administrative access can update the mail server to an attacker controller IP. When the device attempts to authenticate to the mail server, it will pass the previously configured credentials in plaintext to the attacker’s IP.

Recommendation:

For users of S-models, upgrade to firmware 1.10.4 or higher which requires SMTP credentials to be re-entered whenever the mail server host is changed. Regardless of the model, AVTECH strongly recommends that users set custom administrative credentials on the device to restrict access to all settings, including SMTP settings. When using E-models, use Room Alert Account or Room Alert Manager, where possible, to send email notifications instead of sending them directly from the device. If the device is not being used to send emails, ensure any SMTP credentials have been removed from the device.

The post Security Advisory: SMTP Credential Pass-back appeared first on AVTECH.

Security Advisory: SMTP Password Disclosure in DOM

Allie Wojtanowski — Thu, 16 May 2024 16:46:56 +0000

May 16, 2024

CVE-2024-33470

Impacted Devices and Firmware:

Room Alert 4E, firmware 4.4.0 and earlier
Room Alert 3E, firmware 2.4.0 and earlier
Room Alert 12E, firmware 3.3.0 and earlier
Room Alert 32E, firmware 3.3.1 and earlier

Summary:

The SMTP password for a previously saved set of credentials is disclosed by the device to an administrator.

Description:

When an administrator authenticates with the device and browses the settings pages, the SMTP password is loaded from the device and presented in the DOM in plaintext. When settings are saved, the SMTP credentials are sent back to the device in plain text. This allows an actor with administrative access to the device to obtain the SMTP credentials previously stored in the device’s settings.

Recommendation:

For best security, upgrade from legacy E-model devices to S-models which do not have this vulnerability. Regardless of the model, AVTECH strongly recommends that users set custom administrative credentials on the device to restrict access to all settings, including SMTP credentials. When using E-models, use Room Alert Account or Room Alert Manager, where possible, to send email notifications instead of sending them directly from the device. If the device is not being used to send emails, ensure any SMTP credentials have been removed from the device.

The post Security Advisory: SMTP Password Disclosure in DOM appeared first on AVTECH.

Security Advisories – AVTECH

Security Advisory: SMTP Credential Pass-back

May 16, 2024

CVE-2024-33471

Security Advisory: SMTP Password Disclosure in DOM

May 16, 2024

CVE-2024-33470