Talos Vulnerability Report

TALOS-2020-1011

Epson EB-1470Ui ESPON Web Control Authentication Bypass Vulnerability

May 21, 2020
CVE Number

CVE-2020-6091

Summary

An exploitable authentication bypass vulnerability exists in the ESPON Web Control functionality of Epson EB-1470Ui MAIN: 98009273ESWWV107 MAIN2: 8X7325WWV303. A specially crafted series of HTTP requests can cause authentication bypass resulting in information disclosure. An attacker can send an HTTP request to trigger this vulnerability.

Tested Versions

Epson EB-1470Ui MAIN: 98009273ESWWV107 MAIN2: 8X7325WWV303

Product URLs

https://www.epson.eu/products/projectors/ultra-short-distance/eb-1470ui

CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Details

The EPSON EB-1470UI PROJECTOR is a wide-screen interactive projector with the high WUXGA resolution which can be used for collaboration and sharing on-screen display. It features multiple ways of accessing and sharing content including touch or gesture and also adds ability co collaborate over networked connection, including WiFi

EPSON Web Control shipping with this projector model is vulnerable to authentication bypass allowing to access device settings and granting full read/write configuration access by visiting specific, unauthenticated, URLs as noted below.

The following pages were found to be accessible:

In order to change date of time, the following URL can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=23

In order to view information about projector, the following URL can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=5 

In order to modify primary configuration details such as IP configuration, users connected to email or active directory, the following URL can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=8 

In order to change screen adjustment options, the following URL can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=1 

To reset the device, the following URL can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=42

In order to modify secondary configuration details (including email, printout settings and password for CIFS share), the following URL can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=45

In order to shut down the device or control input, the following URL can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=61

In order to view name and ip of projector, the following URL can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=76

In order to view wireless and wired configuration, the following URLs can be accessed:

http://[PROJECTOR IP]/cgi-bin/webconf?page=77
http://[PROJECTOR IP]/cgi-bin/webconf?page=102
http://[PROJECTOR IP]/cgi-bin/webconf?page=103

Timeline

2020-02-11 - Initial contact
2020-02-17 - Plain text file sent

2020-02-19 - 2nd follow up with Epson support incident #200219-004955
2020-03-17 - Vendor acknowledged would investigate issue
2020-04-27 - 3rd follow up noting 14 days from 90 day deadline
2020-05-06 - Final follow up advising release date
2020-05-21 - Public Release

Credit

Discovered by Yuri Kramarz of Cisco Talos.