search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PolyVision RoomWizard insecurely stores Sync Connector Active Directory credentials and uses default administrative password

Vulnerability Note VU#870601

Original Release Date: 2011-01-07 | Last Revised: 2011-01-07

Overview

The PolyVision RoomWizard web based scheduling system with touch screen display contains two vulnerabilities that allow an unauthorized user to access the device console and Sync Connector Active Directory credentials.

Description

The PolyVision RoomWizard is a touch screen scheduling device with a web-based administrative interface. The Sync Connector feature allows the RoomWizard to communicate with Microsoft Exchange in an Microsoft Windows Actitve Directory (AD) environment. The Sync Connector AD credentials are disclosed in the content of a web page on the administrative interface. This vulnerability has been reported to be affected in RoomWizard firmware version 3.2.3.

An additional issue exists in that the RoomWizard ships with a default password on the administrator account permitting console access via HTTP.

Impact

An attacker with HTTP access to a RoomWizard device and knowledge of the administrative password could obtain the AD credentials. The attacker could also modify settings, including network configuration, which could prevent legitimate users from accessing the RoomWizard device.

Solution

Change default passwords

Change the default administrative password before deploying RoomWizard devices in an production environment.

Upgrade

It has been reported to us that RoomWizard firmware version 3.2.3 is affected by this vulnerability. PolyVision was unable to reproduce the Sync Connector AD credentials vulnerability utilizing the latest revisions of the Room Wizard firmware, version 3.5. PolyVision recommends all RoomWizard devices be upgraded to the latest version of firmware.


Restrict access

Restrict network access to the RoomWizard and other devices using open protocols like HTTP.
PolyVision also recommends requiring the use of SSL on the RoomWizard device if possible.

Vendor Information

870601
 
Affected   Unknown   Unaffected

PolyVision

Notified:  October 18, 2010 Updated:  December 08, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Sean Lam for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2010-0214
Severity Metric: 1.26
Date Public: 2011-01-07
Date First Published: 2011-01-07
Date Last Updated: 2011-01-07 12:55 UTC
Document Revision: 32

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.