Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information

Title: Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information
Advisory ID: ZSL-2017-5420
Type: Local/Remote
Impact: Exposure of Sensitive Information, Security Bypass
Risk: (3/5)
Release Date: 10.07.2017
Summary
VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface.
Description
The software transmits sensitive data using double Base64 encoding for the Cookie 'auth_token' in a communication channel that can be sniffed by unauthorized actors or arbitrarely be read from the vxcore log file directly using directory traversal attack resulting in authentication bypass / session hijacking.
Vendor
Schneider Electric SE - https://www.pelco.com
Affected Version
2.0.41
1.14.7
1.12.105
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
[05.04.2017] Vulnerabilities discovered.
[28.04.2017] Vendor contacted.
[09.07.2017] No response from the vendor.
[10.07.2017] Public security advisory released.
[05.12.2017] Vendor releases version 2.1 to address this issue.
PoC
pelcovideoxpert_cookie.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php
[2] https://www.exploit-db.com/exploits/42312/
[3] https://cxsecurity.com/issue/WLB-2017070079
[4] https://packetstormsecurity.com/files/143318
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/129664
[5] https://www.schneider-electric.com/b2b/en/support/cybersecurity/security-notifications.jsp
[6] https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/
[7] SEVD-2017-339-01- Pelco VideoXpert Enterprise (.pdf)
[8] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9964
[9] https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02
[10] https://www.securityfocus.com/bid/102338
[11] http://securityaffairs.co/wordpress/67108/hacking/pelco-videoxpert-flaws.html
[12] https://www.cybersecurity-help.cz/vdb/SB2017122204
[13] https://nvd.nist.gov/vuln/detail/CVE-2017-9964
[14] http://www.isssource.com/schneider-clears-pelco-vulnerabilities/
[15] http://www.securityweek.com/schneider-electric-patches-flaws-pelco-video-management-system
[16] https://www.auscert.org.au/bulletins/56446
Changelog
[10.07.2017] - Initial release
[01.08.2017] - Added reference [2], [3] and [4]
[07.08.2017] - Added reference [5]
[05.12.2017] - Added vendor status
[13.12.2017] - Added reference [5], [6], [7] and [8]
[13.01.2018] - Added reference [9], [10], [11], [12], [13], [14], [15] and [16]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk