← Advisories

Adtec Digital Multiple Products Default/Hardcoded Credentials Remote Root

Critical

Advisory ID

ZSL-2020-5603

Release Date

26 October 2020

Vendor

Adtec Digital, Inc. - https://www.adtecdigital.com

Affected Version

SignEdje Digital Signage Player v2.08.28, mediaHUB HD-Pro High & Standard Definition MPEG2 Encoder v3.07.19, afiniti Multi-Carrier Platform v1905_11, EN-31 Dual Channel DSNG Encoder / Modulator v2.01.15, EN-210 Multi-CODEC 10-bit Encoder / Modulator v3.00.29, EN-200 1080p AVC Low Latency Encoder / Modulator v3.00.29, ED-71 10-bit / 1080p Integrated Receiver Decoder v2.02.24, edje-5110 Standard Definition MPEG2 Encoder v1.02.05, edje-4111 HD Digital Media Player v2.07.09, Soloist HD-Pro Broadcast Decoder v2.07.09, adManage Traffic & Media Management Application v2.5.4

CVE

CVE-2020-36915

Tested On

GNU/Linux 4.1.8 (armv7l), GNU/Linux 3.12.38 (PowerPC), GNU/Linux 2.6.14 (PowerPC), Adtec Embedded Linux 0.9 (fido), Apache

Summary

Adtec Digital is a leading manufacturer of Broadcast, Cable and IPTV products and solutions.

Description

The devices utilizes hard-coded and default credentials within its Linux distribution image for Web/Telnet/SSH access. A remote attacker could exploit this vulnerability by logging in using the default credentials for accessing the web interface or gain shell access as root.

Proof of Concept

adtec_hardcoded.txtTXT

Disclosure Timeline

24.07.2020Vulnerability discovered.

12.10.2020Vendor contacted.

25.10.2020No response from the vendor.

26.10.2020Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/48954

[2]https://packetstormsecurity.com/files/159709

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/190628

[4]https://www.cve.org/CVERecord?id=CVE-2020-36915

Changelog

26.10.2020Initial release

04.11.2020Added reference [1], [2] and [3]

24.03.2026Added reference [4]