CVE-2020-16257: Winston IoT RCE

Virsec Security Research Lab Vulnerability Report

The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.

1.1        Vulnerability Summary

The Winston Privacy device management API is vulnerable to command injection resulting in unauthenticated remote code execution (RCE). Specifically, the /api/advanced_settings endpoint allows device settings to be altered, including the Proxy Address.

By exploiting these vulnerabilities an attacker could compromise the Winston Privacy device at a root level (high privilege) and gain complete control of the device as well as access to users’ local networks from the context of a remote unauthenticated attacker. The vulnerabilities allowed for any device settings to be altered through an attack chain. Additionally, an SSH service was discovered on the device that was undocumented to the users’ knowledge, meaning Winston Privacy staff could access devices remotely.

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base Score is 9.8 (Critical)

1.3        Affected Version

Winston 1.5.4 devices

1.4        Vulnerability Attribution

Reported by Sergei Glazunov of Google Project Zero on 2020-11-01.

1.5        Risk Impact

Winston Privacy combines a hardware device with a subscription offering that allows Winston’s users’ Internet browsing to remain free from the prying eyes of what some privacy advocates believe are some of the large companies. Winston protects its users from security attacks. A publicly available exploit is available for this vulnerability.

1.5.1         IoT Security Attacks

The biggest attack vector for IoT products is DNS Rebinding, where a malicious actor tricks the device into connecting somewhere other than it intended to, even potentially receiving firmware updates from an attacker’s server in a country halfway around the world. That server could download new source code that allows them to control the device. Winston prevents these robotic takeovers by intercepting all outbound DNS requests, encrypting them, and sending them off to Cloudflare or IBM. They are also all scrambled, providing an enhanced level of privacy protection in addition to the heightened security features.

1.6        Reference Links:

Download the full vulnerability report to learn more about this and other important vulnerabilities.

The post CVE-2020-16257: Winston IoT RCE appeared first on Virsec Systems.


*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: https://virsec.com/cve-2020-16257-winston-iot-rce/