Authenticated remote code execution or Command injection vulnerability in Barco NDN-210/NDN-211

[KB11589]

This article applies to the following products:

Summary

The NDN-210 and NDN-211 have a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to perform authenticated remote code execution.

CVE: CVE-2020-17502, CVE-2020-17503, CVE-2020-17504

Severity: Medium

CVSS 3.1 Score: 6.8

Source

The issue was notified to Barco through the Barco’s Responsible Disclosure program by fellow security researchers with Federal Police of Sweden namely Kristoffer Blasiak and Ulf Frisk.

Affected Products

The following products running versions prior to the release of TFN 3.8 are affected.

  • TransForm NDN-210 Lite
  • TransForm NDN-210 Pro
  • TransForm NDN-211 Lite
  • TransForm NDN-211 Pro

Solution

The fix is available as part of the Barco’s TransformN (TFN) 3.8 Release. It is highly recommended to apply the fixes as part of this package. TFN stands for Barco’s visualization platform, consisting of display wall controller output nodes, input nodes, system and gateway nodes and the Control room Management software Suite (CMS). TFN helps control room professionals to collect all possible types of source data as well as to organize and transform this source data in the most efficient and transparent way to create visual information on display walls. Further details of the release package are available in the release notes here

Properties

[KB11589]

Last updated Nov 05 2020

Was this information helpful?