[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Vivint Sky Control Panel Unauthenticated Access Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Vivint Sky Control Panel Unauthenticated Access Vulnerability
- From: jeremyscott@xxxxxxxxxxxxxxx
- Date: Tue, 1 Mar 2016 18:28:02 GMT
Vivint Sky Control Panel Unauthenticated Access Vulnerability
Solutionary ID: SERT-VDN-1017
Risk Rating: High
CVE ID: CVE-2014-8362
Product: Vivint Sky Control Panel
Application Vendor: Vivint
Vendor URL: http://www.vivint.com/en/
Date discovered: 09/25/2014
Discovered by: Jeremy Scott and Solutionary Security Engineering Research Team
(SERT)
Vendor notification date: 10/17/2014
Vendor response date: No Response
Vendor acknowledgment date: No Response
Public disclosure date: 09/22/2015
Type of vulnerability: Unauthenticated Administrative Access
Exploit Vectors: Local and Remote
Vulnerability Description: Vivint Sky Control Panel contains a flaw allowing
unauthenticated access through a Web-enabled interface (default port 8090) to
the Vivint Sky application. Unauthenticated access allows modifications to
security settings including the capability to enable and disable the alarm.
Tested on: Vivint Sky Control Panel v1.1.1.9926
Affected software versions: Vivint Sky Control Panel v1.1.1.9926
Impact: Successful access to the control panel without requiring authentication
allows an attacker to modify the alarm settings to aid in the unauthorized
access of the physical premises, affect the integrity of the alarm system and
create false alarms.
Fixed in: Current version
Remediation guidelines: The vendor has implemented authentication to require
authentication to the Web interface. Please contact the vendor and request a
firmware update to mitigate the vulnerability, if identified.