Unauthenticated remote code execution or Command injection vulnerability in Barco NDN-210/NDN-211

[KB11588]

This article applies to the following products:

Summary

The NDN-210 and NDN-211 have a web administration panel which is made available over https. The logon method is basic authentication. There is a command injection issue that will result in unauthenticated remote code execution in the username and password fields of the logon prompt.

CVE: CVE-2020-17500

Severity: High

CVSS 3.1 Score: 8.8

Source

The issue was notified to Barco through the Barco’s Responsible Disclosure program by fellow security researchers with Federal Police of Sweden namely Kristoffer Blasiak and Ulf Frisk.

Affected Products

The following products running versions prior to the release of TFN 3.8 are affected.

  • TransForm NDN-210 Lite
  • TransForm NDN-210 Pro
  • TransForm NDN-211 Lite
  • TransForm NDN-211 Pro

Solution

The fix is available as part of the Barco’s TransformN (TFN) 3.8 Release. It is highly recommended to apply the fixes as part of this package. TFN stands for Barco’s visualization platform, consisting of display wall controller output nodes, input nodes, system and gateway nodes and the Control room Management software Suite (CMS). TFN helps control room professionals to collect all possible types of source data as well as to organize and transform this source data in the most efficient and transparent way to create visual information on display walls. Further details of the release package are available in the release notes here.

Properties

[KB11588]

Last updated Nov 05 2020

Was this information helpful?