Devices Running Microsoft Teams Allow for Remote Admin Password Change without Authentication

Last updated on January 24, 2023 

Vulnerability Details

Neat Pad, Neat Bar, Neat Bar Pro, Neat Board, and Neat Frame running Microsoft Teams allow for changing of the Remote Access administrator password without an authentication challenge. 

By design, Neat devices operate with a single administrator password for managing configuration settings. Therefore, changing the Remote Access admin password will also change the local Microsoft Teams admin account on the device. Admin Settings allow for configuring Wi-Fi or Ethernet interfaces, configure proxy settings, enable Bluetooth, and resetting the device to factory defaults.

Products Affected

The following Neat devices and associated firmware versions are affected when running Microsoft Teams:

  • Neat Pad firmware: NFA1.20220914.1215
  • Neat Bar firmware: NFB1.20220914.1215
  • Neat Board firmware: NFC1.20220914.1215
  • Neat Bar Pro firmware: NFD1.20220914.1215
  • Neat Frame firmware: NFF1.20220914.1215

Solution

This vulnerability is being addressed as part of our latest firmware release. The full release notes for the update are available here.

The updated firmware version will ensure authentication is required for configuring remote access features and also streamline the device configuration settings available to administrators.

Workaround

In the event firmware cannot be updated immediately, the workaround is to enable web remote access, and then lock down the password from the web admin access webpage. 

Navigate to the Neat Pad, Neat Bar, Neat Bar Pro, Neat Board or Neat Frame’s web admin page and once you log in, click on the ‘Access settings’ on the lower-left corner. You can then change the password as well as lock remote access settings on the device (see Figure A).

Figure A: Access Settings from Neat Web Admin page

Once you enable lock remote access settings, the Neat Pad, Neat Bar, Neat Bar Pro, Neat Board, or Neat Frame’s Remote access settings will no longer show a password field and instead advise the user to sign in from the web browser to make any changes (see Figure B).

Figure B: Remote Access settings once “Lock remote access settings on device” has been enabled

Additional Support

We encourage you to visit our support website and view new articles, FAQs, how-to and troubleshooting guides which are being regularly added there. Please search the following page to find answers to your common questions or problems: https://support.neat.no

If you encounter an issue with your Neat device, please email: support@neat.no and one of our technical support engineers will reach out to you.

Note: Neat provides support on Neat devices running current released software, or running software from the previous release. For more information on our support policy, please see the article Neat’s technical support policy.

IMPORTANT: Please see our privacy policy at https://neat.no/privacy-policy/