← Advisories

BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF

Medium
Advisory ID
ZSL-2020-5595
Release Date
30 September 2020
Vendor
BrightSign, LLC - https://www.brightsign.biz
Affected Version
Model: XT, XD, HD, LS, Firmware / OS version: <=8.2.26
CVE
N/A
Tested On
roNodeJS
Summary

BrightSign designs media players and provides free software and cloud networking solutions for the commercial digital signage market worldwide, serving all vertical segments of the marketplace.

Description

Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application.

Proof of Concept
brightsign_ssrf.txtTXT
Disclosure Timeline
01.08.2020Vulnerability discovered.
01.08.2020Vendor contacted.
16.09.2020No response from the vendor.
17.09.2020Vendor contacted.
29.09.2020No response from the vendor.
30.09.2020Public security advisory released.
21.10.2020Vendor releases a statement regarding this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/159442/
[2]https://www.exploit-db.com/exploits/48843
[3]https://cxsecurity.com/issue/WLB-2020100005
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/189207
[5]https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595
Changelog
30.09.2020Initial release
06.10.2020Added reference [1], [2], [3] and [4]
26.10.2020Added vendor status and reference [5]