PT-2017-12783 · Tecnovision · Tecnovision Dlx Spot Player

Published

2017-09-21

Updated

2017-09-29

CVE-2017-12928

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions TecnoVISION DLX Spot Player4 (all known versions)

Description The issue concerns a hard-coded password for the dlxuser account, which is tecn0visi0n. This allows remote attackers to log in via SSH and then escalate privileges to gain root access using the same credentials.

Recommendations For all known versions, consider changing the hard-coded password for the dlxuser account to a unique and secure password to prevent unauthorized access. As a temporary workaround, restrict SSH access to the device until a more permanent solution can be implemented.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2017-12928

Affected Products

Tecnovision Dlx Spot Player

PT-2017-12783 · Tecnovision · Tecnovision Dlx Spot Player

CVE-2017-12928

Weakness Enumeration

Related Identifiers

Affected Products

References · 2