Security Vulnerability Advisory
-------------------------------
CVE: CVE-2019-12305
Publication Date: 04/29/2020
Revision: 1.0
Link: https://digital.security/advisories/cert-ds_advisory-ezcast_pro_ii_admin_password-cve-2019-12305.txt


Title
-----
Information Disclosure of Admin Password


Overview
--------
The EZCast administrator password md5 hash is provided upon an HTTP request.
This hash can be cracked to access the administration panel of the device.


Affected Products
-----------------
- EZCast Pro II


Details
-------
Using the "wifi_info_GET.cgi" function, it is possible to request the unsalted MD5 hash of the administrator password.
This hash can then be quite easily cracked to recover the original password.

CVSSv3 Overall Score: 6.5
CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N


Solution
--------
As of 08/04/2019, EZCast declared that a firmware upgrade fixing this issue is available "over-the-air". Make sure to upgrade the firmware using your prefered app from EZcast, see Support section: https://ezcast-pro.com/ezcast-pro/pro2/


Credits
-------
This vulnerability was discovered by Cédric Picard from digital.security Luxembourg and Pieterjan Denys from digital.security Belgium.


Revision History
----------------
Revision 0.1: 05/14/2019 / Initial release
Revision 1.0: 04/29/2020 / Advisory publication


Timeline
--------
2019.04.19 Vulnerability found during client audit - that client is informed
2019.05.14 Vulnerability reported to CERT-DS
2019.05.23 Vulnerability reported to EZCast
2020.04.29 Advisory publication


References
----------
https://www.ezcast.com/product/ezcast/pro/dongle2