CVE-2023-28386

Name of the Vulnerable Software and Affected Versions Snap One OvrC Pro devices versions 7.2 and prior

Description The issue arises from the device's failure to properly validate firmware updates, relying solely on the calculation of the MD5 hash of the firmware without utilizing a private-public key mechanism. This lack of a complete PKI system for firmware signature verification could allow attackers to upload arbitrary firmware updates, resulting in code execution.

Recommendations For versions 7.2 and prior, consider disabling firmware updates until a patch is available that implements a complete PKI system for firmware signature verification. Restrict access to the firmware update mechanism to minimize the risk of exploitation. Avoid using the MD5 hash as the sole means of verifying firmware updates. Update to a version that includes a fix for this issue when available.