CVE-2018-20219

Name of the Vulnerable Software and Affected Versions: Teracue ENC-400 devices with firmware 2.56 and below

Description: An issue allows attackers to bypass authentication on the device's web administration panel. After successful authentication, the device sends an authentication cookie to the end user. This cookie is hard-coded to a string in the source code, specifically in the /usr/share/www/check.lp file. By setting this cookie in a browser, an attacker can maintain access to every ENC-400 device without knowing the password. The token remains static even if a user changes the password on the device.

Recommendations: For Teracue ENC-400 devices with firmware 2.56 and below, consider disabling access to the web administration panel until a patch is available. Restrict access to the /usr/share/www/check.lp file to minimize the risk of exploitation. Avoid using the hard-coded authentication cookie in the browser to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.