[ services ]
[ about ]
[ legal ]

1. Vulnerability Details.

Title: CVE-2019-9657: Alarm.com ADC-V522IR 0100b9 Insecure OpenVPN certificate.

Affected Vendor: Alarm.com

Affected Product: ADC-V522IR

Affected Version: 0100b9, potentially others

Platform: Embedded Linux

Impact: OpenVPN private certificate access.

Attack vector: shell

CVE ID: CVE-2018-19588, CVE-2019-9657

2. Vulnerability Description.

Any user with access to the Alarm.com camera can access Alarm.com's unencrypted OpenVPN certificate.

3. Technical Description.

Alarm.com did not encrypt or use a form of mandatory access control to protect the Alarm.com OpenVPN private certificate.

4. Mitigation and Remediation Recommendation

Vendor did not consider this a risk. However, anyone with access to the keys will be able to MITM and decrypt the data in transit.

5. Credits

VFX Team.

6. Disclosure Timeline

Jul 12, 2019 - Vendor responded.

Jul 9, 2019 - Published.

Mar 8, 2019 - Vendor responded, but did not have any additional information.

Jan 2, 2019 - Vendor contacted.

Dec 7, 2018 - Vendor contacted.

Nov 26, 2018 - Proof of concept disclosed to vendor.

Oct 22, 2018 - Vendor contacted.

7. Proof of Concept

1. Leverage access gained in CVE-2018-19588.

2. Export the configuration file named backup-ADC-V522IR-ALAM-0100b9.tar.gz.

3. Extract the configuration file and edit /etc/inetd.conf to enable telnet. Compress the backup into a tar.gz format.

4. Restore the new backup to the camera and the camera will reboot upon upload.

5. Telnet to the camera to access unencrypted /ovpn/client1.key.

© 2002-2020 VFX Computing, Inc. All Rights Reserved.