PT-2017-17071 · Openelec · Openelec

Publicado

2017-03-05

Atualizado

2019-10-03

CVE-2017-6445

CVSS v3.1

8.1

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenELEC versions 6.0.3, 7.0.1, 8.0.4

Description The issue concerns the auto-update feature, which lacks encrypted connections and signed updates. This allows a man-in-the-middle attacker to manipulate update packages, potentially gaining root access remotely.

Recommendations For OpenELEC version 6.0.3, consider disabling the auto-update feature until a secure update mechanism is implemented. For OpenELEC version 7.0.1, restrict network access to prevent potential man-in-the-middle attacks until a fix is available. For OpenELEC version 8.0.4, avoid using the auto-update feature over untrusted networks to minimize the risk of exploitation.

Exploit

Correção

Missing Encryption of Sensitive Data

Improper Verification of Cryptographic Signature

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-311CWE-347

Identificadores relacionados

CVE-2017-6445

Produtos afetados

Openelec

PT-2017-17071 · Openelec · Openelec

CVE-2017-6445

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5