ENTTEC Lighting Controllers (Update A) (ICSA-20-177-01)

September 15, 2020

CISA has updated this advisory with additional details on the affected products and mitigation measures. Access the advisory at CISA.

June 25, 2020

CISA has published an advisory on use of hard-coded cryptographic key, cross-site scripting, improper access control, and incorrect permission assignment for critical resource vulnerabilities in ENTTEC Lighting Controllers. Datagate, Storm 24, Pixelator, and E-Streamer Mk2 are affected. Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized SSH/SCP access to devices, inject malicious code, run commands with root privileges, and read, write, and execute files in system directories as any user. ENTTEC is looking into these vulnerabilities but has not yet released updated software. They recommend devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet. CISA also recommends a series of measures to mitigate the vulnerabilities. Access the advisory at CISA.