Software Engineering Institute

Notified:  January 20, 2017 Updated: February 01, 2017

Statement Date:   January 31, 2017

Status

Affected

Vendor Statement

This vulnerability was addressed in the basic design of our Addon keypad since
its inception. The SH Designs program cannot be used to modify the firmware in
our keypad without specialized knowledge of specific procedures necessary to
initiate a firmware replacement.

We have further strengthened the procedure as of firmware version 5.5.05 to
include the necessity to also enter the administrator password to initiate a
firmware replacement.

To identify which type of protection your keypad has, verify the program
version in the keypad by looking at the printed header at power-up.

To be clear, the SH Designs program that has the vulnerability would normally
only be used by trained service personnel on a very infrequent basis. Field
updates to the firmware in the keypad are not often done. Also, specific
knowledge of the keypad operation is necessary to use the SH Designs program to
perform a firmware update. Furthermore, the knowledge and time investment
necessary to create and install a program that might be able to perform a
malicious action with an embedded processor like the one used in our keypad
creates a very unlikely scenario that it would ever be attempted. Our product
does not even use a standard operating system. The keypad is also normally used
in a secure location that would have UDP access restricted at the router to the
subnet level.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.