ENTTEC Lighting Controllers (Update A)

1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available Vendor: ENTTEC Equipment: Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2 Vulnerabilities: Use of Hard-coded Cryptographic Key, Cross-site Scripting, Improper Access Control...

Authentication flaw

An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044update05032019-482. They allow high-privileged root access by www-data via sudo without requiring appropriate access control. Furthermore, the user account that controls the web...

CVE-2019-12777

CVE-2019-12777 affects ENTTEC Datagate Mk2, Storm 24, Pixelator, and E-Streamer Mk2 firmware 70044_update_05032019-482, where startup scripts replace secure directory permissions with permissive rwxrwxrwx on /usr, /usr/local, /usr/local/dmxis, and /usr/local/bin. This is an Incorrect Permission A...

CVE-2019-12776

An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044update05032019-482. They include a hard-coded SSH backdoor for remote SSH and SCP access as the root user. A command in the relocate and relocaterevB scripts copies the hardcoded key to...

CVE-2019-12775

An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044update05032019-482. They allow high-privileged root access by www-data via sudo without requiring appropriate access control. Furthermore, the user account that controls the web...

CVE-2019-12775

CVE-2019-12775 affects ENTTEC Datagate Mk2, Storm 24, Pixelator (firmware 70044_update_05032019-482 and prior). The issue enables high-privileged root access via sudo for the www-data/web-app user without proper access control, potentially allowing execution of high-privilege binaries/assets pres...