From: Twonky security team <security () lynxtechnology.com>
The vulnerability permits attackers with access to the local network in which Twonky Server runs, to write arbitrary files on the
host running the Twonky Server. It can be used to replace existing or create new files on the file system, as accessible by the user
under which user ID Twonky Server runs (which can be root).
As this vulnerability can be used to overwrite and replace arbitrary files, this vulnerability can be used to gain control
of the target system by overwriting system files or can create a denial of service attack by overwriting system critical
All systems running Twonky Server versions 7.0.x, 8.0 and 8.1 with enabled NMC web API or web API.
Add the following configuration options to the Twonky Server configuration file:
This will block access to the incriminated function.
NOTE: Setting 'enableweb' to '0' will completely disable HTTP web access to Twonky Server!
The issues has been resolved in the following versions:
Customers running Twonky Servers 7.0/7.1 or 8.0 are encouraged to upgrade to 8.1.2.
Twonky Server download locations: