Incorrect default permissions in Biamp Evoko Home

Posted date 23/12/2024
Identificador
INCIBE-2024-0622
Importance
4 - High
Affected Resources
  • Evoko Home Service for Windows, versions from 2.4.2 to 2.7.4.
Description

INCIBE has coordinated the publication of a high severity vulnerability affecting different versions of Evoko Home, a system for managing Liso room reservation devices installed outside meeting rooms, which was discovered by Alexander Huaman.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-12903: CVSS v3.1: 7.8 | CVSS AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-276.
Solution

No solution is currently available, it is planned to be included in the release of the new framework in 2025. Temporary mitigation measures until the new version is released is to use Ubuntu instead of Windows.

Detail
  • CVE-2024-12903: incorrect default permissions vulnerability in Evoko Home, affecting version 2.4.2 to 2.7.4. A non-admin user could exploit weak file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. It has been identified that full control permissions exist on the ‘Everyone’ group (i.e. any user who has local access to the operating system regardless of their privileges).