Revolution Pi: Multiple Authentication Vulnerabilities in webstatus Package
KUNBUS-2022002: Multiple Authentication Vulnerabilities in webstatus Package
| Publisher: Kunbus PSIRT | Document category: csaf_security_advisory |
| Initial release date: 2022-12-20T11:00:00.000Z | Engine: Secvisogram 2.0.0 |
| Current release date: 2022-12-20T11:00:00.000Z | Build Date: 2022-12-21T08:29:26.161Z |
| Current version: 1 | Status: final |
| CVSSv3.1 Base Score: 9.8 | Severity: |
| Original language: en-US | Language: en-US |
| Also referred to: | |
Product groups
Revolution Pi OS Full Images- KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster Lite (08/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)
- KUNBUS Revolution Pi webstatus up to 2.0.2-1
- KUNBUS Revolution Pi webstatus 2.0.3
- KUNBUS Revolution Pi webstatus 2.0.4
Vulnerabilities
Password reset to known value for unauthenticated user
Password reset to known value for unauthenticated user (all)It is possible to set the login password to a pre-known hash value for an unauthenticated user.
| CWE: | CWE-640:Weak Password Recovery Mechanism for Forgotten Password |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi webstatus up to 2.0.2-1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R | 9.8 |
Last affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi webstatus up to 2.0.2-1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R | 9.8 |
Fixed
- KUNBUS Revolution Pi webstatus 2.0.3
- KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)
Remediations
Workaround
Disable the Apache Webserver serving webstatus and pictory or disable there webroot at the apache configuration
For products:
- KUNBUS Revolution Pi webstatus up to 2.0.2-1
Unauthenticated user can get default password
Unauthenticated user can get default password (all)An unauthenticated user can get the default password without additional security measures.
| CWE: | CWE-200:Exposure of Sensitive Information to an Unauthorized Actor |
|---|
Product status
Last affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi webstatus up to 2.0.2-1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R | 9.8 |
First fixed
- KUNBUS Revolution Pi webstatus 2.0.3
- KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)
Remediations
Mitigation
Disable the possibility to reset the password to the default password in the webstatus UI. Addionally make sure that the SSH password is changed.
For products:
- KUNBUS Revolution Pi webstatus up to 2.0.2-1
Workaround
Disable the Apache Webserver serving webstatus and pictory or disable there webroot at the apache configuration.
For products:
- KUNBUS Revolution Pi webstatus up to 2.0.2-1
Unauthenticated user can get information to reconstruct default password
Unauthenticated user can get information to reconstruct default passwordAn unauthenticated user can get information that, combined with other information, reveals the default password.
| CWE: | CWE-200:Exposure of Sensitive Information to an Unauthorized Actor |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R | 9.8 |
| KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R | 9.8 |
| KUNBUS Revolution Pi Revolution Pi OS Buster Lite (08/2022) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R | 9.8 |
| KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R | 9.8 |
Last affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi webstatus 2.0.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R | 9.8 |
First fixed
- KUNBUS Revolution Pi webstatus 2.0.5
Remediations
Mitigation
Disable the possibility to reset the password to the default password in the webstatus UI. Addionally make sure that the SSH password is changed.
For products:
- KUNBUS Revolution Pi webstatus up to 2.0.2-1
- KUNBUS Revolution Pi webstatus 2.0.3
- KUNBUS Revolution Pi webstatus 2.0.4
- KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster Lite (08/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)
Workaround
Disable the Apache Webserver serving webstatus and pictory or disable there webroot at the apache configuration.
For products:
- KUNBUS Revolution Pi webstatus up to 2.0.2-1
- KUNBUS Revolution Pi webstatus 2.0.3
- KUNBUS Revolution Pi webstatus 2.0.4
- KUNBUS Revolution Pi Revolution Pi OS Buster (08/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster (05/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster Lite (08/2022)
- KUNBUS Revolution Pi Revolution Pi OS Buster Lite (05/2022)
Kunbus PSIRT
Namespace: https://www.kunbus.de
product-security@kunbus.com
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | 2022-12-20T11:00:00.000Z | Initial Version following the release of a patched version of Webstatus. |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/