Revolution Pi: Multiple Authentication Vulnerabilities in webstatus Package

KUNBUS-2022002: Multiple Authentication Vulnerabilities in webstatus Package

Publisher: Kunbus PSIRT Document category: csaf_security_advisory
Initial release date: 2022-12-20T11:00:00.000Z Engine: Secvisogram 2.0.0
Current release date: 2022-12-20T11:00:00.000Z Build Date: 2022-12-21T08:29:26.161Z
Current version: 1 Status: final
CVSSv3.1 Base Score: 9.8 Severity:
Original language: en-US Language: en-US
Also referred to:

Product groups

Revolution Pi OS Full Images
  • KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
Revolution Pi OS Lite Images
  • KUNBUS Revolution Pi Revolution Pi OS Buster Lite (08/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)
webstatus < 2.0.5
  • KUNBUS Revolution Pi webstatus up to 2.0.2-1
  • KUNBUS Revolution Pi webstatus 2.0.3
  • KUNBUS Revolution Pi webstatus 2.0.4

Vulnerabilities

Password reset to known value for unauthenticated user

Password reset to known value for unauthenticated user (all)

It is possible to set the login password to a pre-known hash value for an unauthenticated user.

CWE: CWE-640:Weak Password Recovery Mechanism for Forgotten Password

Product status

Known affected
Product CVSS-Vector CVSS Base Score
KUNBUS Revolution Pi webstatus up to 2.0.2-1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R 9.8
Last affected
Product CVSS-Vector CVSS Base Score
KUNBUS Revolution Pi webstatus up to 2.0.2-1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R 9.8
Fixed
  • KUNBUS Revolution Pi webstatus 2.0.3
  • KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)

Remediations

Workaround

Disable the Apache Webserver serving webstatus and pictory or disable there webroot at the apache configuration

For products:
  • KUNBUS Revolution Pi webstatus up to 2.0.2-1

Unauthenticated user can get default password

Unauthenticated user can get default password (all)

An unauthenticated user can get the default password without additional security measures.

CWE: CWE-200:Exposure of Sensitive Information to an Unauthorized Actor

Product status

Last affected
Product CVSS-Vector CVSS Base Score
KUNBUS Revolution Pi webstatus up to 2.0.2-1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R 9.8
First fixed
  • KUNBUS Revolution Pi webstatus 2.0.3
  • KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)

Remediations

Mitigation

Disable the possibility to reset the password to the default password in the webstatus UI. Addionally make sure that the SSH password is changed.

For products:
  • KUNBUS Revolution Pi webstatus up to 2.0.2-1
Workaround

Disable the Apache Webserver serving webstatus and pictory or disable there webroot at the apache configuration.

For products:
  • KUNBUS Revolution Pi webstatus up to 2.0.2-1

Unauthenticated user can get information to reconstruct default password

Unauthenticated user can get information to reconstruct default password

An unauthenticated user can get information that, combined with other information, reveals the default password.

CWE: CWE-200:Exposure of Sensitive Information to an Unauthorized Actor

Product status

Known affected
Product CVSS-Vector CVSS Base Score
KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R 9.8
KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R 9.8
KUNBUS Revolution Pi Revolution Pi OS Buster Lite (08/2022) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R 9.8
KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R 9.8
Last affected
Product CVSS-Vector CVSS Base Score
KUNBUS Revolution Pi webstatus 2.0.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R 9.8
First fixed
  • KUNBUS Revolution Pi webstatus 2.0.5

Remediations

Mitigation

Disable the possibility to reset the password to the default password in the webstatus UI. Addionally make sure that the SSH password is changed.

For products:
  • KUNBUS Revolution Pi webstatus up to 2.0.2-1
  • KUNBUS Revolution Pi webstatus 2.0.3
  • KUNBUS Revolution Pi webstatus 2.0.4
  • KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster Lite (08/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)
Workaround

Disable the Apache Webserver serving webstatus and pictory or disable there webroot at the apache configuration.

For products:
  • KUNBUS Revolution Pi webstatus up to 2.0.2-1
  • KUNBUS Revolution Pi webstatus 2.0.3
  • KUNBUS Revolution Pi webstatus 2.0.4
  • KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster Lite (08/2022)
  • KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)

Kunbus PSIRT

Namespace: https://www.kunbus.de

product-security@kunbus.com

Revision history

Version Date of the revision Summary of the revision
1 2022-12-20T11:00:00.000Z Initial Version following the release of a patched version of Webstatus.

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/

Download JSON file

kunbus-2022002.json (11.3 KiB)