Command Injection and Buffer Overflow in Multiple Sharp NEC Displays

Command Injection and Buffer Overflow in Multiple Sharp NEC Displays
Cyber Labs

17 of 20

This insight is part 17 of 20 in this Collection.

July 6, 2022 3 mins

Command Injection and Buffer Overflow in Multiple Sharp NEC Displays

CVE-2021-20698, CVE-2021-20699: Command Injection and Buffer Overflow vulnerabilities in Sharp NEC Display Solutions UN/UX Series displays.

Aon’s Cyber Solutions discovered multiple command injection and buffer overflow vulnerabilities affecting several Sharp NEC Display Solutions UN/UX series displays leading to unauthenticated remote code execution as the root user. For a complete listing of affected systems and remediation instructions, refer to the Vendor Advisory section below. The vulnerabilities were discovered by Aon’s Cyber Solutions team member Howard McGreehan.

Aon would like to thank Sharp NEC Display Solutions for working with us as part of our coordinated disclosure process.

Timeline:
  • 03/15/21 – Initial disclosure to Sharp NEC Display Solutions
  • 05/18/21 – Issues confirmed by Sharp NEC Display Solutions, firmware upgrade release dates set
  • 05/27/21 – CVEs assigned by Sharp NEC Display Solutions
  • 06/09/21 – Firmware updates released, Sharp NEC Display Solutions discloses vulnerabilities
  • 07/06/22 – Aon advisory released
Vulnerability Listing / Credits:
  • CVE-2021-20698 - Command Injection
  • CVE-2021-20699 - Buffer Overflow
Vendor Advisory:

https://www.sharp-nec-displays.com/global/support/info/A5-1_vulnerability.html

Command Injection and Buffer Overflow in Multiple Sharp NEC Display Solutions UN/UX Series Displays

Overview

Multiple command injection and buffer overflow vulnerabilities were discovered in the “cgictrl” binary within the administrative web consoles of Sharp NEC Display Solutions UN/UX series displays. These vulnerabilities can be triggered by sending specially crafted HTTP requests to the vulnerable binary. Exploiting these vulnerabilities may allow unauthenticated remote attackers to execute arbitrary code on the system as the root user, completely compromising the device.

Remediation

Refer to the Vendor Advisory for a complete list of firmware versions in which this vulnerability has been fixed and further instructions on how to upgrade the affected systems.

Aon’s Thought Leader
  • Howard McGreehan
    Manager, Security Testing, Cyber Solutions

About Cyber Solutions:

Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

General Disclaimer

This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, the information provided and the statements expressed are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner