Executive Summary

Summary
Title PolyVision RoomWizard insecurely stores Sync Connector Active Directory credentials and uses default administrative password
Informations
Name VU#870601 First vendor Publication 2011-01-07
Vendor VU-CERT Last vendor Modification 2011-01-07
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#870601

PolyVision RoomWizard insecurely stores Sync Connector Active Directory credentials and uses default administrative password

Overview

The PolyVision RoomWizard web based scheduling system with touch screen display contains two vulnerabilities that allow an unauthorized user to access the device console and Sync Connector Active Directory credentials.

I. Description

The PolyVision RoomWizard is a touch screen scheduling device with a web-based administrative interface. The Sync Connector feature allows the RoomWizard to communicate with Microsoft Exchange in an Microsoft Windows Actitve Directory (AD) environment. The Sync Connector AD credentials are disclosed in the content of a web page on the administrative interface. This vulnerability has been reported to be affected in RoomWizard firmware version 3.2.3.

An additional issue exists in that the RoomWizard ships with a default password on the administrator account permitting console access via HTTP.

II. Impact

An attacker with HTTP access to a RoomWizard device and knowledge of the administrative password could obtain the AD credentials. The attacker could also modify settings, including network configuration, which could prevent legitimate users from accessing the RoomWizard device.

III. Solution

Change default passwords

Change the default administrative password before deploying RoomWizard devices in an production environment.


Upgrade

It has been reported to us that RoomWizard firmware version 3.2.3 is affected by this vulnerability. PolyVision was unable to reproduce the Sync Connector AD credentials vulnerability utilizing the latest revisions of the Room Wizard firmware, version 3.5. PolyVision recommends all RoomWizard devices be upgraded to the latest version of firmware.

Restrict access

Restrict network access to the RoomWizard and other devices using open protocols like HTTP.
PolyVision also recommends requiring the use of SSL on the RoomWizard device if possible.

Vendor Information

VendorStatusDate NotifiedDate Updated
PolyVisionAffected2010-10-182010-12-08

References

http://steelcase.polyvision.com/support/downloads-roomwiz.asp

Credit

Thanks to Sean Lam for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2011-01-07
Date First Published:2011-01-07
Date Last Updated:2011-01-07
CERT Advisory: 
CVE-ID(s):CVE-2010-0214
NVD-ID(s):CVE-2010-0214
US-CERT Technical Alerts: 
Severity Metric:1.26
Document Revision:32

Original Source

Url : http://www.kb.cert.org/vuls/id/870601

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-255 Credentials Management
50 % CWE-200 Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Hardware 1

Open Source Vulnerability Database (OSVDB)

Id Description
70389 RoomWizard Admin Interface /admin/sign/DeviceSynch Sync Connector AD Credenti...

RoomWizard contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when the administrative interface places the Sync Connector Active Directory (AD) credentials on a web form that is accessed over HTTP on port 80, which will disclose sensitive information to a remote attacker who reads the HTML source code of /admin/sign/DeviceSynch URI.
70388 RoomWizard Admin Account Default Password

By default, RoomWizard installs with a default password. The administrator account has a password of roomwizard which is publicly known and documented. This allows attackers to trivially access the program or system and gain privileged access.