CVE-2020-16257 Winston IoT RCE
Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.
In response to our blog, Winston Privacy has responded with additional information and corrections about details reported. We appreciate their prompt response and feedback below:
“While we were thankful to Bishop Fox for alerting us to these vulnerabilities, there were several misrepresentations in their original report which they have corrected/updated. Most notably is that once the firm notified us, we issued a zero-day fix for the most critical vulnerability within 24 hours (which is nearly unheard of for a small tech start-up). The remaining patches were rolled out in subsequent firmware releases. Also, please note that SSH access is disclosed to users when they report critical bugs that need remote assistance. We provide instructions at that time on how to open ports to provide this access to us. At Winston Privacy, we take a proactive stance on security and include both defensive as anticipatory security features in each release. We push firmware updates on a more or less monthly cadence, though policy updates are pushed daily and hotfixes are released as needed.”
The Winston Privacy device management API is vulnerable to command injection resulting in unauthenticated remote code execution (RCE). Specifically, the /api/advanced_settings endpoint allows device settings to be altered, including the Proxy Address.
By exploiting these vulnerabilities an attacker could compromise the Winston Privacy device at a root level (high privilege) and gain complete control of the device as well as access to users' local networks from the context of a remote unauthenticated attacker. The vulnerabilities allowed for any device settings to be altered through an attack chain. Additionally, an SSH service was discovered on the device that was undocumented to the users’ knowledge, meaning Winston Privacy staff could access devices remotely.
Watch the video to learn more about this and other important vulnerabilities.
The CVSS Base Score is 9.8 (Critical)
Winston 1.5.4 devices
Reported by Sergei Glazunov of Google Project Zero on 2020-11-01.
Winston Privacy combines a hardware device with a subscription offering that allows Winston’s users’ Internet browsing to remain free from the prying eyes of what some privacy advocates believe are some of the large companies. Winston protects its users from security attacks. A publicly available exploit is available for this vulnerability.
IoT Security Attacks
The biggest attack vector for IoT products is DNS Rebinding, where a malicious actor tricks the device into connecting somewhere other than it intended to, even potentially receiving firmware updates from an attacker’s server in a country halfway around the world. That server could download new source code that allows them to control the device. Winston prevents these robotic takeovers by intercepting all outbound DNS requests, encrypting them, and sending them off to Cloudflare or IBM. They are also all scrambled, providing an enhanced level of privacy protection in addition to the heightened security features.
Download the full vulnerability report to learn more about this and other important vulnerabilities.