Description:
The ltsudo set-passwd subcommand accepts user:password pairs on stdin and changes the password of any LARM user, including the larmapp service account. No authorization check restricts which accounts a superadmin-group user may modify.
Impact:
Any superadmin user can impersonate the larmapp service account via su - larmapp
Mitigation:
Upgrade to firmware version 8.4.18.

