Summary
The NDN-210 and NDN-211 have a web administration panel which is made available over https. The logon method is basic authentication. There is a command injection issue that will result in unauthenticated remote code execution in the username and password fields of the logon prompt.
CVE: CVE-2020-17500
Severity: High
CVSS 3.1 Score: 8.8
Source
The issue was notified to Barco through the Barco’s Responsible Disclosure program by fellow security researchers with Federal Police of Sweden namely Kristoffer Blasiak and Ulf Frisk.
Affected Products
The following products running versions prior to the release of TFN 3.8 are affected.
- TransForm NDN-210 Lite
- TransForm NDN-210 Pro
- TransForm NDN-211 Lite
- TransForm NDN-211 Pro
Solution
The fix is available as part of the Barco’s TransformN (TFN) 3.8 Release. It is highly recommended to apply the fixes as part of this package. TFN stands for Barco’s visualization platform, consisting of display wall controller output nodes, input nodes, system and gateway nodes and the Control room Management software Suite (CMS). TFN helps control room professionals to collect all possible types of source data as well as to organize and transform this source data in the most efficient and transparent way to create visual information on display walls. Further details of the release package are available in the release notes here.