Black Duck Advisory: RCE and Credential Exposure in Telepad, PC Keyboard, Lazy Mouse (CVE-2022-45477 to 45483)

Critical Vulnerability Information Affected Applications Telepad: Versions 1.0.7 and earlier PC Keyboard: Versions 30 and earlier Lazy Mouse: Versions 2.0.1 and earlier Vulnerability Impact CVE-2022-45477 Telepad allows remote unauthenticated users to send commands to the server to execute arbitrary code, without any prior authorization or authentication. CVSS 3.1 Base Score: 9.8 CVE-2022-45478 Telepad allows attackers to sniff communication data between the server and connected devices on the network, including plaintext passwords. CVSS 3.1 Base Score: 5.1 CVE-2022-45479 PC Keyboard allows remote unauthenticated users to send commands to the server to execute arbitrary code, without any prior authorization or authentication. CVSS 3.1 Base Score: 9.8 CVE-2022-45480 PC Keyboard allows attackers to sniff communication data between the server and connected devices on the network, including plaintext passwords. CVSS 3.1 Base Score: 5.1 CVE-2022-45481 Lazy Mouse’s default configuration does not require a password, allowing remote unauthenticated users to execute arbitrary code, without any prior authorization or authentication. CVSS 3.1 Base Score: 9.8 CVE-2022-45482 Lazy Mouse server enforces a weak password policy and lacks rate limiting, enabling attackers to rapidly brute-force PIN codes and execute commands. CVSS 3.1 Base Score: 9.8 CVE-2022-45483 Lazy Mouse allows attackers to sniff communication data between the server and connected devices on the network, including plaintext passwords. CVSS 3.1 Base Score: 5.1 Mitigation Black Duck Cybersecurity Research Center repeatedly contacted the developers but received no response within 90 days. Immediate removal of these applications is recommended. Developers are no longer maintaining these applications, leading to unresolved security issues. Discoverer Security researcher Mohammed Alshehri discovered these vulnerabilities. Timeline August 13, 2022: Initial disclosure August 18, 2022: Follow-up communication October 12, 2022: Final follow-up November 29, 2022: Black Duck issued public advisory

Goal Reached Thanks to every supporter — we hit 100%!

Black Duck Advisory: RCE and Credential Exposure in Telepad, PC Keyboard, Lazy Mouse (CVE-2022-45477 to 45483)