OpenELEC and RasPlex devices have a hardcoded password for the root account, which makes it easier for remote attackers to obtain access via an SSH session.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openelec | openelec | * |
The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-311,CWE-347,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openelec | openelec | 7.0.1 |
| openelec | openelec | 6.0.3 |