A cross-scripting (XSS vulnerability via the Host Header was identified in certain pages after login, where remote attackers could inject arbitrary web script or HTML code.
CVSS V3 Base Score – AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Digital Alert Systems is issuing a follow-on advisory to its 2019 advisory relating to cross-scripting (XSS) vulnerabilities. An
additional vulnerability was identified in certain pages after login, which presents the potential risk for remote attackers to inject arbitrary web scripts of HTML code. Exploitable remote/low attack complexity/public exploits are available.
Affected Products and Versions
Product: DASDEC / One-Net
Versions: all software versions (CVE-2022-40204)
DAS issued a patch for the 2019 XSS security issue (CVE-2019-18265) in version 4.1, released in October 2019. The latest version can be downloaded from the following location: https://www.digitalalertsystems.com/software-updates
A patch for the 2022 XSS security issue (CVE-2022-40204) will be available shortly. Information about the availability of this software update will be sent directly to registered DASDEC users and will be posted on our website.
All DASDEC users are strongly encouraged to register or update their customer information.
General security best practices
Regularly update/patch DASDEC EAS device software to the latest version available.
Restrict exposure to external networks for all DASDEC EAS devices and ensure they are not directly accessible from the open Internet.
Deploy DASDEC EAS devices behind barrier devices (e.g. firewalls) and isolate them from business networks.
Remote access to DASDEC EAS devices should be made available on a strict need-to-use basis. Remote access should use secure methods, such as Virtual Private Networks (VPNs).
Review DASDEC security logs for suspect activity.
Disable/deactivate unused communication channels, TCP/UDP ports and services on networked devices.
Perform regular security assessments and risk analysis of critical systems, such as EAS devices.
CVE-2022-40204 – Ken Pyle
November 2022 DAS Vulnerability Advisory
Cross-scripting (XSS) vulnerability
August 2022 Update
In 2019, we became aware of vulnerabilities relating to DASDEC/One-Net software relating to cross-site scripting and other potential issues. We launched an investigation to identify potentially affected products and assess risk. In 2019, Digital Alert Systems released the version 4 series of software, which addressed these vulnerabilities along with a host of new features.
Older software versions that may be vulnerable are:
• v2.x series software (Status: deprecated. End-of-life 12/21/2016)*
• v3.x series software (Status: deprecated. End-of-life 7/1/2019)
Software versions 4.1 (release date Oct. 2019) and above include mitigations for the identified issues.
We strongly recommend updating your DASDEC/One-Net software if it is earlier than V4.1 to ensure it contains the latest operational revisions, security patches, and regulatory compliance updates.
As we have repeatedly urged, sensitive equipment like the DASDEC/One-Net must be operated within a firewall and other protective measures. EAS equipment of any type should never be placed with direct access to the Internet.
We thank the researcher for identifying these issues at the time and following responsible disclosure practices.
Digital Alert Systems continually strives to improve its products and services for our customers, but we can’t do it all alone - we need your help. In the world of Internet-connected devices, a strong vigilant focus on security is promoted by properly installing and maintaining your EAS equipment. Keeping your EAS gear behind strong firewalls and in a secure network helps create a critical barrier to unauthorized entry or exploitation. Further, maintaining your EAS device with current software updates is a key part of keeping up to date with critical security patches.
These devices are not security appliances themselves and are designed to operate BEHIND A PROPER FIREWALL!
By properly maintaining the equipment you form the crucial link in this security chain.
If you have questions, concerns or reports regarding the security of your product, contact the Digital Alert Systems security team at email@example.com, or telephone (585) 765-2254
Over the years we have released several resources on security postures to help our customers and the industry overall understand why security is so important and how it can be done. Here are just two examples:
In order to quickly communicate with our customers, it is important we are provided with current contact information on your product registration, and kept informed of any changes. This way we can communicate details on security information, vulnerabilities, and software security patches quickly and directly. We rely on you to ensure we have the most current contact information for your organization. If you haven’t completed the registration process or need to update the information please follow this link to the product registration page to provide your contact details.
It is the customer’s responsibility to properly configure, secure and maintain this equipment.† From time to time security scans are done to identify devices improperly connected to the open Internet. If you are contacted by a member of our security team, please understand our representative will be looking to advise you of the issue and help in properly securing the equipment.
The representative will be looking to assist you in one or more of the following areas:
Removing your EAS device from the public Internet
Turning off unnecessary services
Changing the default credentials
When appropriate, assisting in firmware upgrades to the EAS device.
The representative will NOT:
Ask for log in credentials
Access the device without written permission
† See, for example, FCC-CIRC1807-04.
Report a Product Security Issue or Vulnerability
Digital Alert Systems’ security assistance team is responsible for vulnerability management and overseeing and refining product security practices. The team will give reports and questions the attention they demand, including prompt acknowledgement, detailed responses, and, ultimately, the investigation and fixing of legitimate vulnerabilities.
We respectfully ask anyone who discovers a product security vulnerability follow our Vulnerability Reporting Policy thus ensuring proper discovery and handling of any issues.
Should there be any product security-related issues or questions please privately contact our security assistance team via email at firstname.lastname@example.org
When reporting an issue, please include as many details as possible, such as:
Steps to reproduce the issue
Any other details that will help us validate the issue
We ask that you do not share any vulnerability details until we have responded, and that you allow a reasonable time frame for a response.
We hope this information combined with our service and support will help you and the industry keep a diligent watch over the critical EAS infrastructure.
The Digital Alert Systems Security Team