PT-2017-17071 · Openelec · Openelec

Published

2017-03-05

Updated

2019-10-03

CVE-2017-6445

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenELEC versions 6.0.3, 7.0.1, 8.0.4

Description The issue concerns the auto-update feature, which lacks encrypted connections and signed updates. This allows a man-in-the-middle attacker to manipulate update packages, potentially gaining root access remotely.

Recommendations For OpenELEC version 6.0.3, consider disabling the auto-update feature until a secure update mechanism is implemented. For OpenELEC version 7.0.1, restrict network access to prevent potential man-in-the-middle attacks until a fix is available. For OpenELEC version 8.0.4, avoid using the auto-update feature over untrusted networks to minimize the risk of exploitation.

Exploit

Fix

Missing Encryption of Sensitive Data

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-311CWE-347

Related Identifiers

CVE-2017-6445

Affected Products

Openelec

PT-2017-17071 · Openelec · Openelec

CVE-2017-6445

Weakness Enumeration

Related Identifiers

Affected Products

References · 5