2.2.8 INCORRECT PRIVILEGE ASSIGNMENT CWE-266 An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.ĬVE-2022-1745 has been assigned to this vulnerability. The authentication mechanism used by technicians on the tested version of ImageCast X is susceptible to forgery. 2.2.7 AUTHENTICATION BYPASS BY SPOOFING CWE-290 An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.ĬVE-2022-1744 has been assigned to this vulnerability. 2.2.6 EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250Īpplications on the tested version of ImageCast X can execute code with elevated privileges by exploiting a system level service. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS.ĬVE-2022-1743 has been assigned to this vulnerability. The tested version of ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.ĬVE-2022-1742 has been assigned to this vulnerability. The tested version of ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. 2.2.4 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424 The tested version of ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code.ĬVE-2022-1741 has been assigned to this vulnerability. An attacker could leverage this vulnerability to disguise malicious applications on a device.ĬVE-2022-1740 has been assigned to this vulnerability. The tested version of ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. 2.2.2 MUTABLE ATTESTATION OR MEASUREMENT REPORTING DATA CWE-1283 An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media.ĬVE-2022-1739 has been assigned to this vulnerability. Use of a trusted root certificate ensures software installed on a device is traceable to, or verifiable against, a cryptographic key provided by the manufacturer to detect tampering. The tested version of ImageCast X does not validate application signatures to a trusted root certificate. 2.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347 NOTE: Mitigations to reduce the risk of exploitation of these vulnerabilities can be found in Section 3 of this document. Instructions to check for and mitigate this condition are available from Dominion Voting Systems.Īny jurisdictions running ImageCast X are encouraged to contact Dominion Voting Systems to understand the vulnerability status of their specific implementation. NOTE: After following the vendor’s procedure to upgrade the ImageCast X from Version 5.5.10.30 to 5.5.10.32, or after performing other Android administrative actions, the ImageCast X may be left in a configuration that could allow an attacker who can attach an external input device to escalate privileges and/or install malicious code.ImageCast X application Versions 5.5.10.30 and 5.5.10.32, as used in Dominion Democracy Suite Voting System Version 5.5-A.ImageCast X firmware based on Android 5.1, as used in Dominion Democracy Suite Voting System Version 5.5-A.The following versions of the Dominion Voting Systems ImageCast X software are known to be affected (other versions were not able to be tested): Many of these mitigations are already typically standard practice in jurisdictions where these devices are in use and can be enhanced to further guard against exploitation of these vulnerabilities. Jurisdictions can prevent and/or detect the exploitation of these vulnerabilities by diligently applying the mitigations recommended in this advisory, including technical, physical, and operational controls that limit unauthorized access or manipulation of voting systems. While these vulnerabilities present risks that should be mitigated as soon as possible, CISA has no evidence that these vulnerabilities have been exploited in any elections.Įxploitation of these vulnerabilities would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCast X devices. The ImageCast X can be configured to allow a voter to produce a paper record or to record votes electronically. This advisory identifies vulnerabilities affecting versions of the Dominion Voting Systems Democracy Suite ImageCast X, which is an in-person voting system used to allow voters to mark their ballot.
0 Comments
Leave a Reply. |