← Advisories

Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information

Medium
Advisory ID
ZSL-2017-5420
Release Date
10 July 2017
Vendor
Schneider Electric SE - https://www.pelco.com
Affected Version
2.0.41, 1.14.7, 1.12.105
CVE
CVE-2017-9964
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Summary

VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface.

Description

The software transmits sensitive data using double Base64 encoding for the Cookie 'auth_token' in a communication channel that can be sniffed by unauthorized actors or arbitrarely be read from the vxcore log file directly using directory traversal attack resulting in authentication bypass / session hijacking.

Proof of Concept
pelcovideoxpert_cookie.txtTXT
Disclosure Timeline
05.04.2017Vulnerabilities discovered.
28.04.2017Vendor contacted.
09.07.2017No response from the vendor.
10.07.2017Public security advisory released.
05.12.2017Vendor releases version 2.1 to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2017-5419
[2]https://www.exploit-db.com/exploits/42312/
[3]https://cxsecurity.com/issue/WLB-2017070079
[4]https://packetstormsecurity.com/files/143318
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/129664
[5]https://www.schneider-electric.com/b2b/en/support/cybersecurity/security-notifications.jsp
[6]https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/
[8]https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9964
[9]https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02
[10]https://www.securityfocus.com/bid/102338
[11]http://securityaffairs.co/wordpress/67108/hacking/pelco-videoxpert-flaws.html
[12]https://www.cybersecurity-help.cz/vdb/SB2017122204
[13]https://nvd.nist.gov/vuln/detail/CVE-2017-9964
[14]http://www.isssource.com/schneider-clears-pelco-vulnerabilities/
[15]http://www.securityweek.com/schneider-electric-patches-flaws-pelco-video-management-system
[16]https://www.auscert.org.au/bulletins/56446
Changelog
10.07.2017Initial release
01.08.2017Added reference [2], [3] and [4]
07.08.2017Added reference [5]
05.12.2017Added vendor status
13.12.2017Added reference [5], [6], [7] and [8]
13.01.2018Added reference [9], [10], [11], [12], [13], [14], [15] and [16]