CVE-2019-12775

Name of the Vulnerable Software and Affected Versions ENTTEC Datagate MK2 version 70044 update 05032019-482 ENTTEC Storm 24 version 70044 update 05032019-482 ENTTEC Pixelator version 70044 update 05032019-482 ENTTEC E-Streamer MK2 version 70044 update 05032019-482

Description The issue allows high-privileged root access by www-data via sudo without requiring appropriate access control. The user account controlling the web application service has full access to run any system commands with elevated privilege, without the need for password authentication. This could allow a threat actor to create or run high-privileged binaries or executables within the device's operating system if vulnerabilities are identified and exploited within the web application.

Recommendations For ENTTEC Datagate MK2 version 70044 update 05032019-482, consider restricting the www-data user's access to sudo until a patch is available. For ENTTEC Storm 24 version 70044 update 05032019-482, consider restricting the www-data user's access to sudo until a patch is available. For ENTTEC Pixelator version 70044 update 05032019-482, consider restricting the www-data user's access to sudo until a patch is available. For ENTTEC E-Streamer MK2 version 70044 update 05032019-482, consider restricting the www-data user's access to sudo until a patch is available. As a temporary workaround, consider disabling the web application service until a patch is available to minimize the risk of exploitation.