Researchers working for F-Secure have identified a dozen vulnerabilities in popular Barco ClickShare wireless presentation systems. While the vendor has patched the most serious vulnerabilities, the remaining issues are not easy to fix.
According to F-Secure, its experts analyzed the ClickShare devices after noticing how popular they were during their red team assessments. Their analysis was carried out over a period of several months and resulted in the discovery of vulnerabilities that can be exploited to intercept and manipulate presentations, steal passwords and other sensitive information, and install malware.
Some of the vulnerabilities require physical access to a device for exploitation, but others can be exploited remotely if the product’s default configuration has not been changed, F-Secure said.
The vulnerabilities have been found in the ClickShare base unit, the client software, and the ClickShare button, which is the USB device used to start sharing content on available AV equipment.
According to Barco, ClickShare products are used by over 40 percent of Global Fortune 1000 companies. The device models confirmed to be vulnerable by F-Secure, the CS-100 and CSE-200, cost $1,000 and $1,750, respectively.
The vulnerabilities are related to the failure to disable a JTAG debugging interface, which could be abused by malicious actors; the use of shared encryption keys, which allows an attacker to create malicious software images; OS command injection flaws; the use of testing credentials that can be leveraged to issue commands and launch man-in-the-middle (MitM) attacks; flaws allowing malware to be planted on a device using a specially crafted USB drive; and the presence of weak, hardcoded credentials that give an attacker admin privileges on a device.
Researchers also discovered that Syslog data is transmitted over the Wi-Fi connection in clear text; that an attacker can plant arbitrary code that will get side-loaded into the ClickShare client process at start; that media streams are insufficiently protected; and that an attacker can manipulate file system content and make changes that would allow them to remotely log in to the device.
Barco has patched five of the most serious vulnerabilities, including ones related to hardcoded credentials, certificate chain verification, the presence of testing credentials, file manipulation, and command injection. However, several of the flaws can only be fixed through physical maintenance and F-Secure believes they are unlikely to get patched.
“Our tests’ primary objectives were to backdoor the system so we could compromise presenters, and steal information as it’s presented. Although cracking the perimeter was tough, we were able to find multiple issues after we gained access, and exploiting them was easy once we know more about the system,” explained F-Secure Consulting’s Dmitry Janushkevich. “For an attacker, this is a fast, practical way to compromise a company, and organizations need to inform themselves about the associated risks.”
Earlier this year, Tenable disclosed a total of 15 vulnerabilities found across eight wireless presentation systems, including ones made by Barco. Barco at the time was named as one of the few notified vendors that had released patches.