ESPEC North America Web Controller Privilege Escalation Vulnerability

A vulnerability in ESPEC North America Web Controller versions prior to 3.3.8 allows an attacker with physical access to gain elevated privileges. This is possible because both GRUB and the BIOS lack password protection. In the affected versions, an attacker can modify GRUB configurations and boot parameters, or alter the BIOS by booting from USB media, potentially compromising the system's firmware.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of the GRUB bootloader and BIOS settings, allowing for elevated privileges and potential alterations to the system's firmware.

Remediation

To address this vulnerability, users should update the Web Controller firmware to version 3.3.8 or newer. For the BIOS, a password can be manually applied to restrict access. This password must be entered to boot the system after each power cycle.