Unencrypted and Unsigned Auto-Update Vulnerability in OpenELEC

Unencrypted and Unsigned Auto-Update Vulnerability in OpenELEC

CVE-2017-6445 · HIGH Severity

AV:N/AC:H/AU:N/C:C/I:C/A:C

The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely.

Learn more about our Cis Benchmark Audit For Distribution Independent Linux.