TeleAdapt RoomCast TA-2400 up to 3.1 Android Debug Bridge access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.7 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical has been found in TeleAdapt RoomCast TA-2400 up to 3.1. Affected is an unknown function of the component Android Debug Bridge. The manipulation leads to access control. This vulnerability is traded as CVE-2023-33743. It is possible to launch the attack on the physical device. Furthermore, there is an exploit available. It is best practice to apply the suggested workaround.
Details
A vulnerability was found in TeleAdapt RoomCast TA-2400 up to 3.1. It has been rated as problematic. This issue affects some unknown processing of the component Android Debug Bridge. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
TeleAdapt RoomCast TA-2400 1.0 through 3.1 is vulnerable to Improper Access Control; specifically, Android Debug Bridge (adb) is available.The RoomCast TA-2400 is an enterprise media casting solution tailored for hotel rooms. One of the components that makes up the RoomCast is and Android node. This Android node is running a fork of Lollipop 5.1.1 that is often used with many IP TV casting devices. The Android node hosts the RoomCast.apk with functions as the user interface for the RoomCast.
The bug was discovered 05/22/2023. The weakness was shared 07/28/2023 with jTag Labs as 173764 as not defined vulnerability report (Packetstorm). It is possible to read the advisory at packetstormsecurity.com. The vendor cooperated in the coordination of the public release. The RoomCast TA-2400, versions 1.0-3.1+, has multiple critical security vulnerabilities, including clear-text storage of sensitive information within executables, improper access control, improper privilege management, and the use of hard-coded passwords. Uniting these vulnerabilities paves the way for a complete compromise of the device and, in turn, exposes clients to direct threats from those exploiting the compromised unit. The identification of this vulnerability is CVE-2023-33743 since 05/22/2023. Technical details are unknown but a public exploit is available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK. The following code is the reason for this vulnerability:
service.adb.tcp.port=5555The Android Lollipop 5.1.1 fork running on the RoomCast has an Improper Access Control vulnerability. This vulnerability is caused by the Android Debug Bridge (ADB) service running on the Android node. By default ADB operates on TCP port 5555 and requires no authentication in order to establish a shell on the node. Because ADB is actively running on the RoomCast anyone connected to the LAN or WLAN of the RoomCast can establish a terminal session with the RoomCast Android node without requiring any authentication.
A public exploit has been developed in adb and been published even before and not after the advisory. The exploit is available at packetstormsecurity.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 65 days. During that time the estimated underground price was around $0-$5k. The code used by the exploit is:
adb connect [android_node_ip]:5555By default the Android Debug Bridge operates on TCP port 5555 and requires no authentication in order to establish a shell on the node. ADB is accessible from both the LAN and WLAN of the RoomCast. Once you are connected to one of the RoomCast networks you can run a quick network map to determine the IP address of the Android node. If you have the IP address of the Android node all that is required to establish a terminal session with the Android node is running the adb connect command. Once a connection is established you will be in an interactive terminal session as the account Shell.
It is possible to mitigate the problem by applying the configuration setting adb_enabled 0.Addressing this vulnerability is possible by firewalling 5555. The best possible mitigation is suggested to be Workaround. A possible mitigation has been published even before and not after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:
settings put global adb_enabled 0The most straightforward approach to prevent any potential breaches arising from the ADB service running is to disable the ADB service globally on the Android node. By doing so, the ADB port 5555 will be closed, rendering all connections to that port unavailable.
The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2023-37895). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.9VulDB Meta Temp Score: 6.7
VulDB Base Score: 4.1
VulDB Temp Score: 3.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Access controlCWE: CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: Yes
Local: Yes
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: WorkaroundStatus: 🔍
Reliability: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Config: adb_enabled 0
Firewalling: 🔍
Workaround: Disable the ADB service
Timeline
05/22/2023 🔍05/22/2023 🔍
06/05/2023 🔍
07/26/2023 🔍
07/27/2023 🔍
07/28/2023 🔍
07/28/2023 🔍
01/06/2026 🔍
Sources
Advisory: 173764Organization: jTag Labs
Status: Not defined
Coordinated: 🔍
CVE: CVE-2023-33743 (🔍)
GCVE (CVE): GCVE-0-2023-33743
GCVE (VulDB): GCVE-100-235619
EUVD: 🔍
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 07/28/2023 07:04Updated: 01/06/2026 13:26
Changes: 07/28/2023 07:04 (38), 07/31/2023 07:19 (25), 07/31/2023 07:20 (9), 08/20/2023 14:15 (11), 03/28/2024 08:17 (2), 07/03/2024 03:04 (19), 01/06/2026 13:26 (1)
Complete: 🔍
Submitter: jTag Labs
Committer: jTag Labs
Cache ID: 216::103
Submit
Accepted
- Submit #185319: RoomCast TA-2400 - CVE-2023-33743 - IMPROPER ACCESS CONTROL (by jTag Labs)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.