CVE-2018-20219
published 2019-03-21CVE-2018-20219: An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to…
PriorityP272high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
14.55%
96.2th percentile
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| teracue | enc-400_hdmi2_firmware | <= 2.56 | — |
| teracue | enc-400_hdmi_firmware | <= 2.56 | — |
| teracue | enc-400_hdsdi_firmware | <= 2.56 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect requests carrying the hard-coded authentication cookie name 'AuthByPasswdENC400' with the static value 'Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==' — presence of this cookie in any HTTP request to an ENC-400 device indicates an authentication bypass attempt. ↗
- →In patched firmware v2.57, the cookie value is generated from os.time() (current time in seconds), making it trivially predictable; monitor for rapid sequential authentication attempts that may indicate time-based cookie brute-forcing. ↗
- →Flag unauthenticated HTTP GET requests to '/configuration.xml' on ENC-400 devices, as this endpoint exposes stream IP, port, and encryption details without requiring authentication. ↗
- ·The hard-coded cookie token is present in firmware v2.56 and below; firmware v2.57 changes to dynamic generation but derives the value solely from os.time(), which remains exploitable. ↗
- ·The static token is noted to be slightly different across firmware versions, but the core value remains the same — detections should key on the cookie name 'AuthByPasswdENC400' regardless of exact value. ↗
- ·Even after a password change on the device, the hard-coded token remains valid, meaning credential rotation does not mitigate this bypass on unpatched firmware. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/151802/Teracue-ENC-400-Command-Injection-Missing-Authentication.htmlhttp://seclists.org/fulldisclosure/2019/Feb/48https://zxsecurity.co.nz/research.htmlhttp://packetstormsecurity.com/files/151802/Teracue-ENC-400-Command-Injection-Missing-Authentication.htmlhttp://seclists.org/fulldisclosure/2019/Feb/48https://zxsecurity.co.nz/research.html
2019-03-21
Published