Update: We have released a production firmware patch for the vulnerabilities outlined below. Please visit the Downloads page to download the update.
Two vulnerabilities have been found relating to the Diagnostic Web Server (DWS) on the device. These vulnerabilities are catalogued as CVE-2017-17737, -17738, and -17739.
- Cross-Site Scripting Attack: An attacker can construct a malicious link to content on the DWS, which can fool a browser into running arbitrary JavaScript. This may allow an attacker to compromise a BrightSign player; however, they would need to know the IP address of the DWS to construct the link, and they would need to trick someone who knows the DWS login credentials into clicking that link.
- Viewable File Path: A user who already has access to the DWS can, by adding certain characters to the /storage.html URL, view file directories that they should not be able to see. So far, it does not seem possible to view or edit the contents of files in this manner—only the directories are visible.
Note: We do not recommend using the DWS in security-sensitive production environments under any circumstance. Please see the BrightSign Player Security statement for more details.
0 Comments