Title: CVE-2019-9657: Alarm.com ADC-V522IR 0100b9 Insecure OpenVPN certificate.
Affected Vendor: Alarm.com
Affected Product: ADC-V522IR
Affected Version: 0100b9, potentially others
Platform: Embedded Linux
Impact: OpenVPN private certificate access.
Attack vector: shell
CVE ID: CVE-2018-19588, CVE-2019-9657
Any user with access to the Alarm.com camera can access Alarm.com's unencrypted OpenVPN certificate.
Alarm.com did not encrypt or use a form of mandatory access control to protect the Alarm.com OpenVPN private certificate.
Vendor did not consider this a risk. However, anyone with access to the keys will be able to MITM and decrypt the data in transit.
VFX Team.
Jul 12, 2019 - Vendor responded.
Jul 9, 2019 - Published.
Mar 8, 2019 - Vendor responded, but did not have any additional information.
Jan 2, 2019 - Vendor contacted.
Dec 7, 2018 - Vendor contacted.
Nov 26, 2018 - Proof of concept disclosed to vendor.
Oct 22, 2018 - Vendor contacted.
1. Leverage access gained in CVE-2018-19588.
2. Export the configuration file named backup-ADC-V522IR-ALAM-0100b9.tar.gz.
3. Extract the configuration file and edit /etc/inetd.conf to enable telnet. Compress the backup into a tar.gz format.
4. Restore the new backup to the camera and the camera will reboot upon upload.
5. Telnet to the camera to access unencrypted /ovpn/client1.key.