CVE-2022-40903 Aiphone GT-DMB-N 3-in-1 Video Entrance Station with NFC Reader 1.0.3 doesn't mitigate failed access attempts, which allows attackers to gain admin privileges.

This issue is due to the fact that the device does not check if the user that has entered the password is allowed to do so. This could lead to remote administration of the device, if the administrator account is vulnerable to brute-force attacks. Another risk is due to the failure to sanitize user input before using it in the configuration file. An attacker could inject malicious code into the configuration file, as it is processed before the password is checked. This means that an attacker could gain remote access to the device, even if the password has been changed. This could happen, for example, after a password reset where the device is still connected to the attacker’s network.
A further risk is due to the fact that the web server is running on a non-standard port. A hacker could easily set up a malicious server on the same network and listen for connections on that port, granting access to the device. This could happen, for example, if the device is connected to a wireless network. Another way to get access to the device is to connect it directly to the attacker’s network.

Mitigation Strategies

Mitigation strategies for this issue include:
1. Restricting access to the device with a password or PIN
2. Using a firewall that properly filters connections on port 80
3. Modifying the web server to listen on a different port than 80, like 443

What you need to do to protect your device against brute-force attacks

A brute-force attack is an automated attempt to guess the password for a difficult-to-guess user account. An attacker who has found out the password for a user account can use it to take control of the device remotely and gain access to sensitive data. A remote attacker could also be running a malicious server on their network or even directly connected to their network, which would grant them access.
The best way to protect your device against brute-force attacks is by using two-factor authentication. This will ensure that attackers cannot get in, as they will need to obtain both the username and password from the user’s mobile phone.
More information about this issue can be found in the security advisory about CVE-2022-40903.

Timeline

Published on: 11/14/2022 23:15:00 UTC
Last modified on: 11/22/2022 17:16:00 UTC

References

• https://www.aiphone.net/
• https://jvn.jp/en/jp/JVN75437943/index.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40903