lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201603011828.u21IS22W029891@sf01web1.securityfocus.com>
Date: Tue, 1 Mar 2016 18:28:02 GMT
From: jeremyscott@...utionary.com
To: bugtraq@...urityfocus.com
Subject: Vivint Sky Control Panel Unauthenticated Access Vulnerability

Vivint Sky Control Panel Unauthenticated Access Vulnerability
Solutionary ID: SERT-VDN-1017

Risk Rating:  High

CVE ID: CVE-2014-8362

Product: Vivint Sky Control Panel

Application Vendor: Vivint

Vendor URL: http://www.vivint.com/en/

Date discovered: 09/25/2014

Discovered by: Jeremy Scott and Solutionary Security Engineering Research Team (SERT)

Vendor notification date: 10/17/2014

Vendor response date: No Response

Vendor acknowledgment date: No Response

Public disclosure date: 09/22/2015

Type of vulnerability: Unauthenticated Administrative Access

Exploit Vectors: Local and Remote

Vulnerability Description: Vivint Sky Control Panel contains a flaw allowing unauthenticated access through a Web-enabled interface (default port 8090) to the Vivint Sky application. Unauthenticated access allows modifications to security settings including the capability to enable and disable the alarm.

Tested on: Vivint Sky Control Panel v1.1.1.9926

Affected software versions: Vivint Sky Control Panel v1.1.1.9926

Impact: Successful access to the control panel without requiring authentication allows an attacker to modify the alarm settings to aid in the unauthorized access of the physical premises, affect the integrity of the alarm system and create false alarms.

Fixed in: Current version

Remediation guidelines: The vendor has implemented authentication to require authentication to the Web interface. Please contact the vendor and request a firmware update to mitigate the vulnerability, if identified.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ