Page tree
Skip to end of metadata
Go to start of metadata

From: Twonky security team <security () lynxtechnology.com>

ISSUE DESCRIPTION

The vulnerability permits attackers with access to the local network in which Twonky Server runs, to write arbitrary files on the
host running the Twonky Server. It can be used to replace existing or create new files on the file system, as accessible by the user
under which user ID Twonky Server runs (which can be root).

IMPACT

As this vulnerability can be used to overwrite and replace arbitrary files, this vulnerability can be used to gain control
of the target system by overwriting system files or can create a denial of service attack by overwriting system critical
files.

VULNERABLE SYSTEMS

All systems running Twonky Server versions 7.0.x, 8.0 and 8.1 with enabled NMC web API or web API.

MITIGATION

Add the following configuration options to the Twonky Server configuration file:
enablenmcwebapi=0
enableweb=0

This will block access to the incriminated function.
NOTE: Setting 'enableweb' to '0' will completely disable HTTP web access to Twonky Server!

RESOLUTION

The issues has been resolved in the following versions:

7.2.11
8.1.2

Customers running Twonky Servers 7.0/7.1 or 8.0 are encouraged to upgrade to 8.1.2.

Twonky Server download locations:

http://twonky.com/downloads

http://www.twonkyforum.com/downloads/8.1.2/

  • No labels