<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Vulnerability Report

CVE-2020-16257 Winston IoT RCE

Virsec Security Research Lab Vulnerability Report

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

****IMPORTANT UPDATE****

In response to our blog, Winston Privacy has responded with additional information and corrections about details reported. We appreciate their prompt response and feedback below:

“While we were thankful to Bishop Fox for alerting us to these vulnerabilities, there were several misrepresentations in their original report which they have corrected/updated. Most notably is that once the firm notified us, we issued a zero-day fix for the most critical vulnerability within 24 hours (which is nearly unheard of for a small tech start-up). The remaining patches were rolled out in subsequent firmware releases. Also, please note that SSH access is disclosed to users when they report critical bugs that need remote assistance. We provide instructions at that time on how to open ports to provide this access to us. At Winston Privacy, we take a proactive stance on security and include both defensive as anticipatory security features in each release.  We push firmware updates on a more or less monthly cadence, though policy updates are pushed daily and hotfixes are released as needed.”


Vulnerability Summary

The Winston Privacy device management API is vulnerable to command injection resulting in unauthenticated remote code execution (RCE). Specifically, the /api/advanced_settings endpoint allows device settings to be altered, including the Proxy Address.

By exploiting these vulnerabilities an attacker could compromise the Winston Privacy device at a root level (high privilege) and gain complete control of the device as well as access to users' local networks from the context of a remote unauthenticated attacker. The vulnerabilities allowed for any device settings to be altered through an attack chain. Additionally, an SSH service was discovered on the device that was undocumented to the users’ knowledge, meaning Winston Privacy staff could access devices remotely.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 9.8 (Critical)

Affected Version

Winston 1.5.4 devices

Vulnerability Attribution

Reported by Sergei Glazunov of Google Project Zero on 2020-11-01.

Risk Impact

Winston Privacy combines a hardware device with a subscription offering that allows Winston’s users’ Internet browsing to remain free from the prying eyes of what some privacy advocates believe are some of the large companies. Winston protects its users from security attacks. A publicly available exploit is available for this vulnerability.

IoT Security Attacks

The biggest attack vector for IoT products is DNS Rebinding, where a malicious actor tricks the device into connecting somewhere other than it intended to, even potentially receiving firmware updates from an attacker’s server in a country halfway around the world. That server could download new source code that allows them to control the device. Winston prevents these robotic takeovers by intercepting all outbound DNS requests, encrypting them, and sending them off to Cloudflare or IBM. They are also all scrambled, providing an enhanced level of privacy protection in addition to the heightened security features.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.