CVE-2021-44564

Vulnerability

The vulnerability resides in the Kalkitech SYNC2101 product, affecting specific sub-families of SYNC devices. An attacker can download the configuration file used on the device and then apply a modified configuration back to it. This is possible because the communication channel between the administration tool Easyconnect and the SYNC device is unsecured [1]. The affected versions are not explicitly listed in the reference, but the advisory specifically mentions CVE-2021-44564 in the SYNC2101 product family.

Exploitation

To exploit this vulnerability, an attacker needs network access to the target SYNC device and knowledge of its IP address. No authentication is required. The attack involves downloading the device's current configuration file, modifying it, and then uploading the malicious configuration back to the device through the unencrypted Easyconnect communication channel [1].

Impact

Successful exploitation allows an attacker to alter the device's configuration, which can lead to unauthorized changes in device behavior, potential data exposure, or disruption of operations. The attacker gains the ability to control device settings without legitimate privileges [1].

Mitigation

The referenced advisory does not provide details on a specific fixed version or release date. Users are advised to consult Kalkitech's cybersecurity page and contact their support for patch information. As of the advisory publication, no workaround is disclosed [1].