Hacker finds video, etc/passwd leak in Vidyo teleconf tool used by US Army, NASA and CERN
Sydney security tester Jamieson O’Reilly has reported a since-patched vulnerability in popular video platform Vidyo, used by the likes of the US Army, NASA, and CERN, that could see videos leaked and systems compromised.
O’Reilly, director of intelligence for consultancy Content Protection, says he picked up the bug during a client test and reported it to the New Jersey video company which has since issued a patch.
Google searches for vulnerable strings reveal hits for affected clients.
The company says some 3000 Fortune 100 SMB customers and 39 of the top 100 healthcare networks in the US use the product, together clocking more than 50 million minutes in talk time.
“I ended up finding an arbitrary file disclosure vulnerability,” O’Reilly told The Register.
“It’s more than just [leaked] videos, also Linux filesystem files (/etc/passwd) and other conf files.
“I’ve never heard of this software before and thought that the risk exposure was quite low until I looked at the clients.
“There are a lot of publicly accessible Vidyo endpoints that a probably vulnerable that you can you can identify using Google.”
O’Reilly says the patch version 22.214.171.124 has been released to close the hole. ®
Rise of the machines