[ services ]
[ about ]
[ legal ]

1. Vulnerability Details.

Title: CVE-2019-9657: Alarm.com ADC-V522IR 0100b9 Insecure OpenVPN certificate.

Affected Vendor: Alarm.com

Affected Product: ADC-V522IR

Affected Version: 0100b9, potentially others

Platform: Embedded Linux

Impact: OpenVPN private certificate access.

Attack vector: shell

CVE ID: CVE-2018-19588, CVE-2019-9657

2. Vulnerability Description.

Any user with access to the Alarm.com camera can access Alarm.com's unencrypted OpenVPN certificate.

3. Technical Description.

Alarm.com did not encrypt or use a form of mandatory access control to protect the Alarm.com OpenVPN private certificate.

4. Mitigation and Remediation Recommendation

5. Credits

VFX Team.

6. Disclosure Timeline

Jul 12, 2019 - Vendor responded, fixes forthcoming.

Jul 9, 2019 - Published.

Mar 8, 2019 - Vendor responded, but did not have any additional information.

Jan 2, 2019 - Vendor contacted.

Dec 7, 2018 - Vendor contacted.

Nov 26, 2018 - Proof of concept disclosed to vendor.

Oct 22, 2018 - Vendor contacted.

7. Proof of Concept

© 2002-2019 VFX Computing, Inc. All Rights Reserved.