Motorola/Vigilant LPR 5 High, 2 Medium Vulnerabilities Analyzed
CISA disclosed seven total vulnerabilities impacting Motorola / Vigilant Solutions' LPR solutions.
This report examines the practical risks of these vulnerabilities and the concerns they raise, including comments from Motorola and a comparison to LenelS2 NetBox 2 Critical, 1 High Vulnerabilities.
***** ***** *************** ***** ** ****** as * ******** **** *** ********, they **** ***** ** ******** ******** that ***-***** ********'************ ** **** / ******** ***(****** ******* ****) *** **** ******** "a ***** ****** ** *****" ******* EOL ******** ******** **** **** ***-***** Motorola's ***** *******.
*******, **** ******** ******, ** ******** should **** ******/******** ***** *************** ****** and *** ******* *** ********* ** run ** ******** ******** **** *** five ** **** ***** ***. ***** vulnerabilities **** **** ****** ****** *** Motorola *** *** *********, ** *** vulnerabilities ***** **** **** ******** ********* by ********, *** ********, *** **** of ***** ******* *** *****-******* / not **********.
*******, **** ********'* ****** ********* *** ******* **********, ******* **** *** / *** cloud-updated / ******* **** ******** ******* easier *** **** *********** ************* ********** over *********** *******. *** **** ******* is **** ***** ******* / ********** reduce *** ***** ** ******* ********* on ********** ******** (****** *** ******** is ***********), ** ******* *** ** automatically ****** *** ******* ** *********' systems.
** *** ******** ****, ******** * common *** ** *** ********, ******** did *** ******** ******** ***** *************** themselves. *******, ******** ********* **** **** "working ****" **** *** *** (*** entity *** ***** *** ******** *** vulnerabilities) ** ******** *** **** *** had *****-***** *********** ******* ** ******** their *****.
Motorola **. ******* ***************
********,******* ****** *** *** ******** *** one ****-******** *************, ********* ***** ****-***** *********, ******* to *** ** *** *************** ********* for ******** / ********.
*****'* ********* *************** **** ************* ***** for **** (*** **** ** ******** score) ** **** ********* *** ****** and **** ****-***** *********** ** **** release ********. ******** / ******** ********* vulnerabilities ** ******** ******** **** **** years *** **** ********, *** ********, developed.
Motorola's **********
***** ** ********'* ***** ******** *********, as **** ******* **** **** "********" and "****[**] **** ****" *** *** third-party *********** ******* ** ****** *** fixes:
******** ********* ******** *** ******* *** products ** ********** **** ******** *** protect *** ***************, ********* *** ************ of ****. ** ******* ************ *** resolved **** ******, ********** ********** ******** risks *** ******* **** **** ** disclose ***** ****. *****-***** *********** ******* validated *** ************. ** ***** ***** no ******** ** ************ ****** *** products. ** ******** ****** *** ********
*******, **** ******** ******** ********, **** should **** **** **** ** **** to ****** ***** **** ** *************** and **** *** ********* **** / would ****** ** ** ****.
**** **** ******* ********* ** ******* aspects **** ********** **********, ***** **** confirmed *** *************** ****** ******* ** the ******** ****** ***** *********** ** Vigilant *** *** ******** ** *** updates *** **** *** *** *****:
**** ******** *.*.***.* *** ***** **** impacted. *** ********, *** *** *******, is ***-**-****, *** ** ***-***** *** acquisition ** ********.
*** ******** ******* **** **** **** the ***. ** * ***** ****** of *****, ******* ***-***** ***** ********** capabilities.
No ****** ******** **********, ******** ****
***** ****** ** *** ********, **********, Motorola *** *** ***** *** *** disclosure / *******. ****, **** *** not ******* ** **** ** *** reasoning / ********* *** *** ***** so, ** **** **** ********** ******** their *** ********** **** ***** ***** products. ******:******** **** * *************** **** ********
***** ** ** *** ********, ** would **** ***** *********, *** ** these ******* **** *** *****-********** / managed, ** ***** ***** ** ********** and ***** *** **** ** ************ for *** ********, ****** ***** **** here ** ***** ******* *** ** updated ********* ********* *** *** *****.
Impacted ****** / ******** *******
***** *** **** ******** *** ******** themselves *** **** *** "******** ***** *** **** *** (*******-****, ******** *.*.***.* *** *****)" *** the ****** ********** ** ************, ****** results ** ******** ** *** *********** populate / ****** *** ******* ******, rather ******** *** *********, *** ****'* advisories.
** ****, **** ********* *** ********** device ** *********** *** ***** ***(***** ***** *****), ***** *********** ******* power *** ************* *** ********'* ***** LPR ******* (* ******* *** ***, per *****):
Motorola ***** ** **** ********
******** ** ********** ****** ** *** CISA **********, ******* ******** ****** **** MC3 *** **** ** ***** *************** - *** *** *** **** / disclose **** ** ****. *** *******, Motorola ** ********* ** *** ******** making *************** *** **********:
** ********, ** / **** ******* are *** ************* / ******* **** CISA ** *** **********, **** ***** be ***** / ***** ******* ***************, like *** ******* *****:
Vulnerability ********
**** ** *** ***** ***** *************** were ****-********; *** **** ****** ********, with *** ****** *** ********* ***** varying *************. ** *** ********* *******, we ****** *** **** *** ***** practical ***** *** *** ******* *********** to ***** ********.
Replay ****** / ********* **************, **** ******** *.* (***-****-*****)
*** ******* ***********-****-******** * **** *.* ******** ************* with **** ********* **** *** *** attack **********. ** ******** ***** ******** exploit **** ************* ** ******** ******* and ********* *** ******** ******* ** perform ******* ** **** ****** ** systems.
Hard-Coded ***********, **** ******** *.* (***-****-*****)
*** ****** ******* *********,***-****-*****, *** * **** *.* ******** vulnerability, ***** ***** **** *********** ********* as ****-***** ******** ***** ** * known **** / *** **** ****** criticized. *******, **** ********* **** ** medium-to-low ** *** ******** **** ** on *** **** *** ** ****** logical ********* ** ******* *** ******.
Default ***********, **** ******** *.* (***-****-*****)
*** ***** ******* ********* *************,***-****-*****, *** * **** *.* ******** vulnerability. *** ****** ******** ******* *********** (no ************* ** ***** ************). ** is * ******-**-*** ********* **** ******* it ******** *** ******** ** **** local ****** (** ********) *** ****** be ********* ********. *******, ** ******** can *** **** *** ** *** take **** *** ****** ** ******** locally.
Insufficiently ********* **** ******* ***********, **** ******** *.* (***-****-*****)
*** ****** ************* *********,***-****-*****, *** * **** *.* ******** vulnerability **** ******* *********** ** ** retrieved *** *** ************ ******* **** a *** ****** **********. *******, *** practical **** ** *** ** **** requires ****** ******** ****** ** *** device.
Sensitive **** / *********** ****** ** ***** ****, **** ******** *.* (***-****-*****)
*********, *** ***** ************* *********,***-****-*****, ** **** * **** *.* severity ************* **** ******* ********* **** and *********** ** ** ********** *** to **** ********** **** *** ****** complexity. *******, *** ********* **** ****** be ********** *** ** ** ******** needs ****** ******** ****** ** **** device.
Sensitive **** ****** ******* **********, ****** ******** *.* (***-****-*****)
*** ***** ********* *************,***-****-*****,** * ****** ******** ************* **** allowed ********* ** **** ******** ** there *** ****** **** ** ******* encryption (*** ********* **** ****** *******). However, *** ********* **** ****** ** considered *** ** ****** ******** ****** is ******** ** *******.
Authentication ******, ****** ******** *.* (***-****-*****)
*** **** / ****** ************* *********,***-****-*****, *** **** * ******-******** *************, which ******* ********* ** ******* / modify *** ********** ** ****** ************** to ****** ***** *** ****** *********. The ********* **** ****** ** ********** low ** ** ******** ***** ******** access ** *** ******.
**** **** ******** **** ********