CVE-2019-12777

Name of the Vulnerable Software and Affected Versions ENTTEC Datagate MK2 version 70044 update 05032019-482 ENTTEC Storm 24 version 70044 update 05032019-482 ENTTEC Pixelator version 70044 update 05032019-482 ENTTEC E-Streamer MK2 version 70044 update 05032019-482

Description An issue was discovered where the firmware replaces secure directory permissions with insecure read, write, and execute permissions for all users. By default, directories such as /usr/local and its subdirectories should only allow non-privileged users to read and execute, but the firmware startup script permits all users to read, write, and execute from directories like /usr, /usr/local, /usr/local/dmxis, and /usr/local/bin.

Recommendations For ENTTEC Datagate MK2 version 70044 update 05032019-482, consider restricting directory permissions to prevent all users from reading, writing, and executing from sensitive directories. For ENTTEC Storm 24 version 70044 update 05032019-482, restrict access to the /usr, /usr/local, /usr/local/dmxis, and /usr/local/bin directories to minimize the risk of exploitation. For ENTTEC Pixelator version 70044 update 05032019-482, modify the firmware startup script to set secure directory permissions, denying non-privileged users from creating or editing files in sensitive locations. For ENTTEC E-Streamer MK2 version 70044 update 05032019-482, as a temporary workaround, consider disabling the firmware startup script that sets insecure directory permissions until a patch is available.