Many Cablecast customers use Carousel as an on-air bulletin board and therefore are affected by recent vulnerabilities discovered in Carousel software. To read more about these vulnerabilities please refer to: https://www.carouselsignage.com/knowledgebase/security-announcement-february-4-2019
First and foremost, if the password for the default admin account has been changed, you are at very little risk as the exploits were all based around having the ability to upload and create new bulletins.
Second, if you are still using the default username and password, or if your password is otherwise week or insecure we recommend you change your password immediately. Instructions for doing so are included below.
Changing Your Password
Step 1 - Navigate to Frontdoor
Open up the main menu of Frontdoor. If you are logged into Cablecast, click the Tightrope Icon to navigate to Frontdoor.
Step 2 - Click Change Password
Step 3 - Enter New Password and Click Change Password
Installing the Cablecast Support Tool
The Tightrope support tool previously relied on saved passwords in order to allow Tightrope support representatives access to servers during support incidents. As a precaution, we are disabling any saved passwords when upgrading Frontdoor / Carousel.
For improved usability and security that does not rely on saved passwords, the Cablecast team is making available a new version of the Cablecast Support Tool. Please refer to the link below to upgrade to this tool.
Installing Security Updates
As the Carousel team releases security fixes for these issues, we advise customers to request update keys so their software can be fixed. To request an update key, click the link below:
Currently, security releases are only available for Carousel 7.4 and above. Older versions will receive updates in the coming days, and we will update this article as new releases become available.
Important Notes Regarding Carousel Security Updates
- The Carousel security updates will disable any unattended access passwords for the TeamViewer support tool used by Tightrope Media Systems. This is strictly a precautionary measure, but if you have a custom unattended password for TeamViewer it will need to be reset after installation. We recommend Cablecast customers upgrade to the Cablecast Support Tool outlined above.
- If the default username / password for the system is not changed before installing the update, then the account will be locked out and must be changed by accessing the system through http://localhost