Design limitation of iDS6 DSSPro Digital Signage System 6.2 – 6th Nov 2020

Preface: Digital signage’s content is powered by a media player or system-on-a-chip which pushes content to a display.
Users can then manage the content with a content management system.

Background: Design limitation of iDS6 DSSPro Digital Signage System 6.2 . The vulnerability cause by autoSave password function.
Since it is a pure unencrypted http traffic, it let internet Cookie disclosure user password. If I am using it.
How to reduce the risk?

Cause of details and remedy solution: The root causes of disclosure user password details shown on attachment.
If the remediation not yet release by vendor. Perhaps do a operation of this product web service should a conduct the following.

  1. Avoid to use WiFi do the management. It should use a workstation in a trusted network.
  2. Set firewall rule only allow managed IP address can be connect to the specific IP address. The point from C to B (refer to diagram). And do not use wireless connection.
  3. From point B to point A it should be a cable network instead of WiFi connection.

Additional: Set the cookie age to 4 minutes, and reset the cookie age every time your server sends a response,
then the cookie will time out after 4 minutes of inactivity.

Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.