Products

    Pages

        Security at Crestron

        Thousands of companies across hundreds of industries, government agencies, universities, and more have standardized on Crestron products. They trust and rely on Crestron to make their lives simpler and work/ education environments secure. Central to that success is Crestron's unwavering commitment to network security. Simply put, "If it's on the network, it must be secure." Clients need to know who and what is on their network.

        Our Process

        A secure system, of course, doesn't just happen. There are large number of considerations that need to be accounted for throughout the development process. Crestron allocates and dedicates resources to define the problem spaces and document the appropriate solutions.

        Step 1 - Identifying risks that are applicable to the systems and identifying assumptions about the operating environment.

        Step 2 - All source code is reviewed to ensure not only proper functionality, but also conformance to security guidelines.

        Step 3 - Source code is subjected to scans using automated tools that review code for common errors and security holes.

        Step 4 - A rigorous testing process is in place once the software/firmware is compiled and loaded into systems. Each night, the latest code is built and automated tests are run to ensure system stability. Included in these tests are standard network scanning tools to ensure there are no unauthorized ports, etc. which have been open.

        Providing network security at the product level.

        Enterprise IT departments categorize devices that don't support these features as a security risk.

        • AES Encryption - Ensures secure transmissions. The same protocol banks use to protect transactions on the Internet.
        • 802.1x Authentication - Ensures that every device on the network is explicitly authorized by the IT department.
        • Active Directory® - Centralized credential management ensures that only authorized users gain access.
        • JITC Certification - Crestron products have received approval by the Joint Interoperability Test Command (JITC) of the U.S. Department of Defense Information Systems Agency (DISA) and have been added to the Unified Capabilities (UC) Approved Products List (APL).
        • PKI Authentication - Required when simple passwords are inadequate to confirm the identity of the parties involved in a particular action or communication, and to validate the information being transferred.
        • TLS - The most widely used security protocol, TLS provides privacy and data integrity between two applications communicating over a network.
        • SSH Network Protocol - Encrypts and protects communications, whereas Telnet, used in other Network AV products, does not.
        • HTTPS - The secure version of HTTP, HTTPS encrypts the data sent between your web browser and the website you're connected to, ensuring the privacy and integrity of the exchanged data. The "S" at the end of HTTPS stands for "Secure."
        • Secure CIP - Ensures communications between Crestron control processors and DM NVX devices are secure.
        Updated Date Vulnerability Threat Identifier How Is Crestron Affected Resources tags More Information
        9/24/2018 12:00:00 AM Nessus detects multiple vulnerabilities on port 7000 Nessus scanner detects AirMedia as an AppleTV and reports subsequent vulnerabilities. There are multiple CVEs associated with this. Please see the related document. This is a false positive triggered by AirPlay compatibility. Refer to Airmedia - Nessus Vulnerability Scanner False Positive Mitigation Guideline - Airplay for details. Airmedia - Nessus Vulnerability Scanner False Positive Mitigation Guideline - Airplay AM-100/101
        5/10/2019 12:00:00 AM Authentication Bypass in AM-100/AM-101 Crestron is aware of a vulnerability in the AM-100 and AM-101 units that can allow a user to bypass authentication. All users are urged to update firmware to the versions noted.

        The latest AM-100/101 firmware release includes CVE-2019-3910 fix. See link below under Resources.

        Please note the following vulnerabilities only affect the Airmedia AM-100 and AM-101 devices. All other second generation AirMedia devices are not affected.
         

        CVE-2019-3910: Authentication Bypass - This vulnerability has been resolved in the current firmware and can be downloaded on the product page. Minimum firmware version to address this vulnerability: 2.7.0 (AM-101) and 1.6.0 (AM-100). Affected Devices:

        • AM-101
        • AM-100
        Firmware Release: https://www.crestron.com/en-US/Software-Firmware/Firmware/Audio-Video-Solutions/AM-100_AM-101/AM-100-1-7-0-AM-101-2-8-0 AM-100/101
        10/24/2018 12:00:00 AM CVE-2018-10933: libssh Server Allows Unauthorized Access Crestron is aware of a vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access. This vulnerability has been assigned CVE identifier CVE-2018-10933. While Crestron does use libssh in some products, it is not used for authentication in any circumstance. Therefore, no Crestron products are affected by this vulnerability. CVE-2018-10933 libssh
        8/9/2018 12:00:00 AM CVE-2018-11228: OS COMMAND INJECTION Crestron is aware of a vulnerability which allows for unauthenticated remote code execution via a Bash shell service in Crestron Toolbox Protocol (CTP). This vulnerability has been assigned CVE identifier CVE-2018-11228.

        Minimum firmware version to address this vulnerability: v2.001.0037.001. Affected Devices:

        • TSW-1060
        • TSW-760
        • TSW-560
        • TSW-1060-NC
        • TSW-760-NC
        • TSW-560-NC

        CVE-2018-11228

        August 2018 Crestron Vulnerability Report

        Touchscreens
        8/9/2018 12:00:00 AM CVE-2018-11229: OS COMMAND INJECTION Crestron is aware of a vulnerability which allows for unauthenticated remote code execution via command injection in Crestron Toolbox Protocol (CTP). This vulnerability has been assigned CVE identifier CVE-2018-11229.

        Minimum firmware version to address this vulnerability: v2.001.0037.001. Affected Devices:

        • TSW-1060
        • TSW-760
        • TSW-560
        • TSW-1060-NC
        • TSW-760-NC
        • TSW-560-NC

        CVE-2018-11229

        August 2018 Crestron Vulnerability Report

        Touchscreens
        8/9/2018 12:00:00 AM CVE-2018-10630: IMPROPER ACCESS CONTROL Authentication is not enabled by default on affected devices. With the minimum firmare version listed below, Crestron’s CTP Console and Telnet access are now disabled by default. Only SSH is available for configuration. If the device does not have authentication enabled, an SSH Banner will display a warning which recommends securing the device. This vulnerability has been assigned CVE identifier CVE-2018-10630 . Minimum firmware version to address this vulnerability: v1.502.0047.001. Affected Device: MC3.

        CVE-2018-10630

        August 2018 Crestron Vulnerability Report

        MC3
        8/9/2018 12:00:00 AM CVE-2018-13341: ELEVATION OF PRIVILEGE IN CRESTRON TERMINAL PROTOCOL Crestron TSW-XX60 touch panel devices were affected by a privilege-escalation vulnerability that could be exploited through access to administrative credentials in the device firmware. SUDO is a debug specific command that can only be issued by an authenticated ADMIN user/account. However, to eliminate any possible confusion, the supwdgenerator executable has been completely removed from the device and the original generation algorithm has been modified. This vulnerability has been assigned CVE identifier CVE-2018-13341

        Minimum firmware version to address this vulnerability: v2.001.0037.001. Affected Devices:

        • TSW-1060
        • TSW-760
        • TSW-560
        • TSW-1060-NC
        • TSW-760-NC
        • TSW-560-NC

        CVE-2018-13341

        August 2018 Crestron Vulnerability Report

        Touchscreens
        6/19/2018 12:00:00 AM CVE-2017-16710: CROSS-SITE SCRIPTING VULNERABILITY Crestron is aware of a vulnerability in the AM-100 and AM-101 units that allows for cross-site scripting. Authentication as an administrator is required for an attacker to use this exploit. This vulnerability has been assigned CVE identifier CVE-2017-16710.

        This vulnerability has been resolved in the current firmware and can be downloaded on the product page.

        Minimum firmware version to address this vulnerability: 2.7.0 (AM-101) and 1.6.0 (AM-100). Affected Devices:

        • AM-101
        • AM-100
        CVE-2017-16710 AM-100/101
        6/19/2018 12:00:00 AM CVE-2017-16709: REMOTE CODE EXECUTION VULNERABILITY Crestron is aware of a vulnerability in the AM-100 and AM-101 units that allows for remote code execution. Authentication as an administrator is required for an attacker to use this exploit. This vulnerability has been assigned CVE identifier CVE-2017-16709.

        This vulnerability has been resolved in the current firmware and can be downloaded on the product page.

        Minimum firmware version to address this vulnerability: 2.7.0 (AM-101) and 1.6.0 (AM-100)Affected Devices:

        • AM-101
        • AM-100
        CVE-2017-16709 AM-100/101
        8/9/2018 12:00:00 AM CVE-2018-11228: UNAUTHENTICATED REMOTE CODE EXECUTION VIA BASH SHELL SERVICE IN CTP Crestron is aware of a vulnerability with specific touch panels which allows for unauthenticated remote code execution via bash. If authentication is enabled, the probability of exploit is lower as authentication is required. This vulnerability has been assigned CVE identifier CVE-2018-11228.

        This vulnerability has been resolved in the current firmware and can be downloaded on the product page.

        Minimum firmware versions to address this vulnerability:

        • TSW-X60 Series use FW 2.0001.0037.001 or late
        • TSW-X52 Series use FW 1.004.0007 or later

        Affected Devices:

        • TSW-1060
        • TSW-760
        • TSW-560
        • TSW-1060-NC
        • TSW-760-NC
        • TSW-560-NC
        • TSW-552
        • TSW-752
        • TSW-1052
        • TSR-302
        • TST-602
        • TST-902
        • TSW-732
        • TSS-752
        • DMC-STR

        Additional products are being tested.

        CVE-2018-11228 Touchscreens
        8/9/2018 12:00:00 AM CVE-2018-11229: UNAUTHENTICATED REMOTE CODE EXECUTION VIA COMMAND INJECTION IN CTP Crestron is aware of a vulnerability with specific touch panels which allows for unauthenticated remote code execution via command injection. If authentication is enabled, the probability of exploit is lower as authentication is required. This vulnerability has been assigned CVE identifier CVE-2018-11229.

        This vulnerability has been resolved in the current firmware and can be downloaded on the product page.

        Minimum firmware versions to address this vulnerability:

        • TSW-X60 Series use FW 2.0001.0037.001 or later
        • TSW-X52 Series use FW 1.004.0007 or later

        Affected Devices:

        • TSW-1060
        • TSW-760
        • TSW-560
        • TSW-1060-NC
        • TSW-760-NC
        • TSW-560-NC
        • TSW-552
        • TSW-752
        • TSW-1052
        • TSR-302
        • TST-602
        • TST-902
        • TSW-732
        • TSS-752
        • DMC-STR

        Additional products are being tested.

        CVE-2018-11229 Touchscreens
        6/4/2018 12:00:00 AM CVE­-2018-­5553: CRESTRON DGE-­100 CONSOLE COMMAND INJECTION Crestron is aware of a vulnerability with the DGE-100, DM-DGE-200-C, and TS-1542-C devices which allows for console command injection. If authentication is enabled, the probability of exploit is lower as authentication is required. This vulnerability has been assigned CVE identifier CVE-2018-5553.

        This vulnerability has been resolved in the current firmware and can be downloaded on the product page.

        Minimum firmware version to address this vulnerability: 1.3384.00059.001

        Affected Devices:

        • DGE-100
        • TS-1542-C
        • DM-DGE-200-C
          Touchscreens
        4/23/2018 12:00:00 AM DM-NVX PASSWORD VULNERABILITY Crestron is aware of a DM-NVX password vulnerability, which affects custom passwords created with firmware version 1.3547.00018 or earlier. This issue has been resolved with firmware version 1.3626.00053. After upgrading, it is recommended to resubmit or change the password of the DM-NVX if using a password other than the default.  

        Crestron's DM-NVX had a password vulnerability in firmware version 1.3547.00018 and earlier. Due to this vulnerability passwords were authenticated with only eight (8) characters. Therefore, characters after the first eight (8) were discarded and ignored. After upgrading it is recommended to resubmit or change the password for user accounts.

        If attempting to downgrade from 1.3626.00053 to an earlier version of firmware, the DM-NVX will be automatically restored due to this vulnerability.

          NVX
        1/8/2018 12:00:00 AM MELTDOWN Crestron is aware of new CPU Vulnerability known as Meltdown (CVE-2017-5754) which affects Intel and ARM based processors. This vulnerability allows a hacker to read system memory that may not otherwise be accessible.
        1. Crestron's Cloud Services which include Fusion Cloud, the Crestron Cloud Provisioning Tool and MyCrestron have been patched by Microsoft as of 1/4/2018. For more details on the patch, see: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
        2. On Premise Servers running Crestron Fusion should be patched according to Microsoft recommendations. Crestron Fusion itself does not require an update.
        3. 3 Series Processors are not known to be affected by Meltdown.
        4. 2 Series processors are not affected by Meltdown as they do not use ARM, Intel or AMD based components.
        5. These devices (Mercury, DGE-100, DGE-200, TS-1542, DMPS-4K-250, DMPS-4K-350 and DM-TXRX-100-STR) have the potential to be affected by a variant of Meltdown. However, as stated by ARM, it is not believed that software mitigations for this issue are necessary. Please download the ARM’s Cache Speculation Side-channels whitepaper for more details.
        6. All TSW Series, TST Series, TSR Series, TPMC-4 Series and TPMC-9 Series are not affected by Meltdown.
        7. No DigitalMedia products are known to be affected by Meltdown.
        8. No Audio Products are known to be affected by Meltdown.
        9. AirMedia (AM-100/101) is not known to be vulnerable by Meltdown.
        10. All Lighting and Shade specific products are not affected by Meltdown.
        11. Affected Conferencing Products include CCS-UC-CODEC-100, CCS-UC-CODEC-200, Crestron SR, and Mercury. Because of additional security implementations on these devices we believe this to be a low risk issue. Crestron is working with Microsoft to provide patches on these devices.

        Products not listed here are pending additional review or discontinued. Crestron will be providing additional information and patches as they become available.

        Securing Azure customers from CPU vulnerability

        ARM’s Cache Speculation Side-channels whitepaper

        1/8/2018 12:00:00 AM SPECTRE Crestron is aware of new CPU Vulnerabilities known as Spectre (CVE-2017-5753, CVE-2017-5715) which affect Intel, and ARM based processors. This vulnerability allows a hacker to read system memory that may not otherwise be accessible.
        1. Crestron's Cloud Services which include Fusion Cloud, the Crestron Cloud Provisioning Tool and MyCrestron are currently affected as no patches have been published by Microsoft to specifically mitigate the Spectre Vulnerability. For more details, see: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
        2. On Premise Servers running Crestron Fusion should be patched according to Microsoft recommendations. Crestron Fusion itself does not require an update.
        3. Affected Control Systems include the PRO3, AV3, CP3, CP3N, RMC3, FT-TSC600, PYNG-HUB, TSCW-730, ZUM-FLOOR-HUB DIN-AP3MEX and DIN-AP3. This vulnerability is considered low risk for processors as it’s a second level vulnerability (requires system access which is traditionally not available). It is recommended that you follow Crestron’s Secure Deployment Guidelines to reduce exposure (OLH 5571). The MC3 and TPCS are not affected by Spectre.
        4. 2 Series processors are not known to be affected by Spectre as they do not use ARM, Intel or AMD based components.
        5. Affected Interfaces include the TSW-1060, TSW-760, TSW-560, TSW-1052, TSW-752, TSW-552, TSS-752, TSW-732, TSW-1050, TSW-750, TSW-730, TSW-550, TSR-302, TSR-310, TST-902, TST-602, DGE-100, DGE-200, TS-1542, and FT-TS600. This vulnerability is considered low risk for interfaces as it’s a second level vulnerability (requires system access which is traditionally not available). It is recommended that you follow Crestron’s Secure Deployment Guidelines to reduce exposure. Additionally to minimize exposure, it would be recommended to avoid implementing the Chrome browser in touchpanel projects.

        6. TPMC-4 Series and TPMC-9 Series are not affected by Spectre.
        7. Affected DigitalMedia products include NVX, DMPS3 Series, DM-STR, DM-MD64x64, DM-MD128x128 and DM-TXRX-100-STR. This vulnerability is considered low risk for DigitalMedia as it’s a second level vulnerability (requires system access which is traditionally not available). It is recommended that you follow Crestron’s Secure Deployment Guidelines to reduce exposure.

        8. Audio Products affected by Spectre include the DSP-1280, DSP-1281, DSP-1282, DSP-1283, DSP-860, AMP-8075 and AMP-8150. This vulnerability is considered low risk for Audio Products as it’s a second level vulnerability (requires system access which is traditionally not available). It is recommended that you follow Crestron’s Secure Deployment Guidelines to reduce exposure.

        9. AirMedia (AM-100/101) is not known to be vulnerable by Spectre.

        10. All Lighting and Shade specific products are not affected by Spectre.

        11. Affected Conferencing Products include CCS-UC-CODEC-100, CCS-UC-CODEC-200, Crestron SR, and Mercury. Because of additional security implementations on these devices we believe this to be a low risk issue. Crestron is working with Microsoft to provide patches on these devices.

        Products not listed here are pending additional review or discontinued. Crestron will be providing additional information and patches as they become available.

        CVE-2017-5753

        CVE-2017-5715

        Crestron’s Secure Deployment Guidelines

        Securing Azure customers from CPU vulnerability

        Touchscreens
        11/14/2017 12:00:00 AM AUTHENTICATION FAILURE IN TSW‑x60 By definition, devices that do not have authentication enabled are not affected

        Crestron is aware of a flaw in the authentication model of the following products:

        TSW-560, TSW-560P, TSW-760, TSW-1060, TSW-560-NC, TSW-760-NC, TSW-1060-NC running the following versions 1.002.0016.001, 1.002.0028.001, 1.003.0052.001.

        A hacker can gain access to the device configuration pages using invalid credentials. It should be noted that the vulnerability only allows access to the configuration of the device and thus possibly render the device inoperable or inaccessible.

        Crestron has posted an updated version of the firmware to address this problem:

        • If you are running version 1.002.0016 or 1.002.0028, please update to version 1.002.0029.
        • If you are running version 1.003.0052, please update to version 1.003.0054.

        If you previously disabled the webserver to mitigate this issue you may re-enable it using the command WEBSERVER ON, followed by a REBOOT.

        Touchscreens
        8/14/2019 12:00:00 AM DM NVX 2.0 and Earlier Supports SNMP v1/2 Unauthorized users can read all SNMP information because the access password is not secure in SNMPv1 or SNMPv2.
        SNMPv1 and SNMPv2 have been designated as obsolete.

        Versions of DM NVX prior to the released 2.1 supported these earlier versions.

         
        Versions of DM NVX 2.0 and earlier supported these now obsolete versions of SNMP. While used in the industry for years, a number of security vendors now flag it with increasing severity. As a result, it has been removed from the 2.1 feature set. SNMP v3 will be a part of the DM NVX 2.2 release.

        There is no reliable method to disable SNMP on the DM NVX device itself.

        The easiest method to eliminate the potential risk is to update to DM NVX 2.1 or higher. 

        If you decide not to update: 
        • All exposed parameters on the DM NVX are Read Only, so an attacker is limited
        • The risk can be eliminated by blocking UDP traffic on ports 161 and 162
        NVX|SNMP
        9/18/2019 12:00:00 AM Super Micro BMC Vulnerabilities Discovered A vulnerability was disclosed affecting Super Micro’s BMC. Researchers have identified vulnerabilities in the Virtual Media function of Supermicro BMCs. BMC/IPMI Virtual Media is a feature of the Virtual Console that enables users to attach a CD/DVD image to the server as a virtual CD/DVD drive. These vulnerabilities include plaintext authentication, weak encryption, and authentication bypass within the Virtual Media capabilities. Identified by researchers in the lab, the vulnerabilities have not been reported in a customer environment.
         
        This BMC is used in the DM-NVX Director products - DM-XIO-DIR-80, DM-XIO-DIR-160 and DM-XIO-DIR-ENT. By default, the BMC is only available from the management port. 

        Best practices are that the management port is only used for local connection and not connected to a wider LAN. In this configuration, there is little to no risk with regards to the report vulnerabilities.

        Customers can update as per the below procedure to further eliminate the concerns.
         
        Eclypsium Report:
        https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/
         
        Super Micro Response and Links to Firmware:
        https://www.supermicro.com/support/security_BMC_virtual_media.cfm

        Update Procedure:
        dm-nvx_director_ipmi_firmware_update_v9-18-2019.docx
        NVX|Super Micro
        2/14/2020 12:00:00 AM CVE-2020-0601: Microsoft Windows CryptoAPI Spoofing Crestron is aware of a spoofing vulnerability exists in the way Microsoft Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software This vulnerability has been assigned CVE identifier CVE-2020-0601 Updates to Crestron Fusion Cloud VM services are currently being rolled out and will be completed by February 15th, 2020.
         
        Crestron is working with Microsoft to deploy a timely update for our products affected below. Crestron will provide an update as soon as its available.
         
        Products: UC-ENGINE, UC-ENGINE-SD, UC-ENGINE-SD-Z, CCS-UC-300, UC-M150-T, UC-M130-T, UC-M150-Z, UC-M130-Z, UC-M100-T, UC-B140-T, UC-B160-Z , UC-B160-T, UC-C160-T, UC-B140-Z, UC-C160-Z
         
        Crestron RL2 devices should be upgraded from Windows 7 to Windows 10, please see link below.
         
        Crestron has reviewed the vulnerability report and has confirmed that it does not affect any other shipping Crestron products.
        For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601
        For Microsoft advisory see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
        To upgrade an RL2 device must be upgraded to Flex to migrate from Windows 7 to Windows 10, see a Crestron Sales Representative for more details.

        Microsoft Updates by version:
        For Microsoft Version 1803 update: https://support.microsoft.com/en-us/help/4534293/windows-10-update-kb4534293
        For Microsoft Version 1903 update: https://support.microsoft.com/en-us/help/4528760/windows-10-update-kb4528760
        api|crypto|engine|Microsoft|uc
        10/26/2017 12:00:00 AM BLUEBORNE It has been reported that a new attack vector called BlueBorne can potentially affect all devices with Bluetooth capabilities running major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux. By spreading through the air, BlueBorne targets the weakest spot in the networks' defense – and the only one that no security measure protects.

        The only Crestron device that currently exposes a Bluetooth interface is the Crestron Mercury Tabletop Conference System.

        Mercury uses a BlueTooth module which incorporates a proprietary operating system (not Android, iOS, Windows or Linux) and therefore is not susceptible to the BlueBorne attack. Furthermore, all Bluetooth profiles are kept inactive during normal operation of the device, requiring explicit user intervention to enable paring and/or discovery to the device. As such, Mercury is not vulnerable to the BlueBorne attack vector.

        www.armis.com/blueborne Mercury
        2/4/2020 12:00:00 AM CVE-2019-18184: Crestron DMC-STRO 1.0 Crestron is aware of a vulnerability exists in the CTP console of the DMC-STRO device, that allows through bash command substitution to execute commands on the system, on behalf of the root user. This vulnerability has been assigned CVE identifier CVE-2019-18184. This vulnerability has been resolved in the current firmware upgrade. Crestron recommends upgrading devices with current firmware available on the product page.
         
        Minimum firmware version to address this vulnerability: version 3.2.14
         
        Crestron has reviewed the vulnerability report and has confirmed that it does not affect any other shipping Crestron products.
         
        To upgrade firmware: DigitalMedia 3.02.14
         
        Product Release Notes: v.3.2.14 Release Notes
         
        For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18184

         
        DMC
        8/9/2018 12:00:00 AM KRACK

        It has been reported that there several vulnerabilities in the WiFi Protected Access II Protocol (WPA2).

        The vulnerabilities make it possible for attackers to eavesdrop on WiFi traffic.

        Please see the following CVE reports for additional information: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088.

        This vulnerability is a protocol level vulnerability and as such affects nearly all correct implementations of the firmware.

        The following devices are affected:

        • CEN-WAP-1500
        • CEN-WAP-ABG-1G
        • CEN-WAP-ABG-CM
        • TSR-302 - Resolved in Version 1.004.0007
        • TST-602 - Resolved in Version 1.004.0007
        • TST-902 - Resolved in Version 1.004.0007

        Other Crestron WiFi products do not support WPA2 and as such are not affected.

        If any of the CEN-WAP products are used with non-Crestron products, all unencrypted information should be considered at risk. Use HTTPS and other secure protocols until a fix is available.

        Most traffic between the TSR-302, TST-602, TST-902 and the control system is over Crestron Extended Range 2.4 GHz RF (ER) and is thus unaffected. However, WiFi communications are used for some additional functions (such as video playback, intercom, etc.) and could be vulnerable. Crestron is actively working towards a fix.

        If you are using a non-Crestron WAP you should also check with the vendor for updates.

        A notable risk is that the following UI Applications use direct connections and could be intercepted and potentially spoofed:

        • Media Player Object
        • All Pyng Objects
        • TV Presets Object

        Two possible mitigations exist:

        1. Remove the UI Applications from devices.
        2. Disable WiFi on the Remotes. This will allow the UI Applications to still run but will disable other features (such as streaming video, intercom, graphics). Note that performance of the applications will also be affected.

        It is recommended that all installations follow the Secure Deployment Guide found in Online Help ID 5571. This will enable additional encryption on the device. This will not remove the risk noted regarding the UI Applications by itself.

        WiFi
        3/9/2020 12:00:00 AM CVE-2019-15126: KR00K Wi-Fi Vulnerability Crestron is aware of a vulnerability that was discovered on certain Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.
         
        This vulnerability has been assigned CVE identifier CVE-2019-15126. Crestron has reviewed the vulnerability report against all shipping products and has confirmed that the AM-200, AM-300, and TSR-310, are not affected. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15126 AM|TSR|WiFi
        5/18/2017 12:00:00 AM WANNACRY

        There are several vulnerabilities in Microsoft's implementation of SMBv1 on Windows. Microsoft addressed these in Microsoft Security Bulletin MS17-010 in March 2017. This bulletin refers to the following CVE identifiers: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148

        The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. SMB is a protocol mainly used for providing shared access to files and devices between nodes on a network.

        Platforms not affected

        Products running Windows CE 6 and Windows Embedded Compact 7 are not affected by the WannaCry malware package.

        PRO3, CP3, CP3N, AV3, DMPS 3-Series (all models), DM-64X64, DM-128X128, RMC3, DIN-AP3, TSW-550, TSW-750, TSW-1050, TSM-730

        • Only code signed with Crestron certificates can execute on these devices.
        • These devices cannot execute x86 native code and so are not vulnerable to the WannaCry malware.
        • The SMB file server is not enabled and so they are not vulnerable to the original ETERNALBLUE exploit.
        • NOTE: It is not clear that the vulnerability exists in the Embedded Compact SMB implementation in the first place but as noted it is disabled anyway.

        TPMC-4SM, TPMC-9, TST-600

        • Only code signed with Crestron certificates can execute on these devices.
        • These devices cannot execute x86 native code and so are not vulnerable to the WannaCry malware.
        • The SMB ports are open but there is no notice of this implementation being vulnerable to the original ETERNALBLUE exploit.

        MC3, TPCS-4SM

        • Only code signed with Crestron certificates can execute on these devices.
        • These devices cannot execute x86 native code and so are not vulnerable to the WannaCry malware.

        Platforms potentially affected

        Crestron also has devices using XP Embedded and Windows Embedded Standard 7.

        DGE-2, DGE-1, TPMC-V12, TPMC-V15

        • These products have the SMB ports closed by default and so are not vulnerable under normal installation.
        • In the event the device does become infected; a reboot will clean it up.
        • Please install the following update service pack which includes Microsoft KB4012598
          • DGE-1 Use dge-1-osp_1.1.10.zip or higher
          • DGE-2 Use dge-2_1.01.10.puf or higher
          • TPMC-V12/15 Use tpmc-v12_tpmc-v15_1.01.008.puf or higher

        TPMC-8X-GA

        TPMC-8X-GA Use tpmc-8x-ga-osp_1.1.10.zip or higher.

        • NOTE: This product has SMB ports open by default and should be considered at risk.
        • In the event the devices does become infected, a reboot will clean it up.
        • Please install the following updated service pack which includes Microsoft KB4012598.

        TPMC-8X, TPMC-8L

        • NOTE: This product has SMB ports open by default and should be considered at risk.
        • In the event the devices does become infected, a reboot will clean it up.
        • Please install the following updated service pack which forces the SMB ports closed regardless of any other settings.
          • Upgrade firmware to version 2.00.02.219 or above. 2.00.02.221 is the latest release at this writing.
          • Install new service pack tpmc-8x-tpmc-8l-firewall_1.0.0.zip.
          • Ensure firewall is enabled using the console command: FIREWALL

        ADMS, ADMS-BR, ADMS-G2

        These products have the SMB ports closed by default and so are not vulnerable under default installation. If file sharing options are enabled the device should be considered at risk.

        Crestron RL (Version 1 and 2)

        • Crestron RL products disallow arbitrary applications to be executed and so are not vulnerable.
        • These products have the SMB ports closed by default and so are not vulnerable under normal installation.
        • Notwithstanding these protections, Microsoft has provided a security update for Crestron RL products – https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Skype-for-Business-15-15-9-Security-Update-for-Crestron-RL/ba-p/70432
        • This has been posted in CCS-UC-200 ver. 15.15.09 and CCS-UC-100 ver. 15.15.09

        CEN-FUSION-SERVER-R330, CEN-FUSION-RVS-R310, CEN-FUSION-R320, CEN-RVS-R210, CEN-RVS-R320

        Please follow Microsoft guidance for Windows Server Products: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

        NOTE: No other current Crestron products have been found to be affected by the WannaCry malware.

        Microsoft Security Response Center

        Skype for Business 15.15.9 Security Update for Crestron RL, Polycom CX8000, and SMART Room System

        Customer Guidance for WannaCrypt attacks

        Microsoft
        3/16/2020 12:00:00 AM CVE-2020-0796: Microsoft SMBv3 Remote Code Execution Crestron is aware of a remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
         
        This vulnerability has been assigned CVE identifier CVE-2020-0796. Crestron recommends users to set firewall rules to block open port 445 as they would any other Windows PC product for the following products below.
         
        Products: UC-ENGINE, UC-ENGINE-SD, UC-ENGINE-SD-Z, CCS-UC-300, UC-M150-T, UC-M130-T, UC-M150-Z, UC-M130-Z, UC-M100-T, UC-B140-T, UC-B160-Z , UC-B160-T, UC-C160-T, UC-B140-Z, UC-C160-Z
         
        Crestron has reviewed the vulnerability report and has confirmed that it does not affect any other shipping Crestron products.
        For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796
        For Microsoft advisory see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
        Microsoft|uc
        6/30/2016 12:00:00 AM SSL 3.0 PROTOCOL VULNERABILITY

        As per TA14-290A, all systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

        Later, this vulnerability was extended to certain TLS 1.0 and TLS 1.1 implementations.

        1. The most likely exploitation is via web browsers and servers, which is not a high use case on Crestron equipment. In addition, the exploitation is most commonly implemented as a Man-in-the-Middle attack which is also less likely given the way most Crestron systems are put together.
        2. Crestron has deprecated support for SSL 3.0 and relies only on TLS which does not have this vulnerability. The console command "SSL" supports the following options: TLSSSL, TLSONLY, TLS1.2ONLY.
        3. Crestron does implement the protocol extension, TLS_FALLBACK_SCSV, which prevents MITM attackers from being able to force a protocol downgrade.
        4. Crestron's implementation of TLS 1.0 and TLS 1.1 was proven not to expose this vulnerability using the Qualys SSL Labs SSL Server test.

        Alert (TA14-290A) SSL 3.0 Protocol Vulnerability and POODLE Attack

        SSL Server Test

        SSL
        7/8/2015 12:00:00 AM FLASH As per CVE-2015-5119, there is a use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a ValueOf function, as exploited in the wild in July 2015.

        All shipping products were reviewed and the following notes are applicable:

        1. The Smart Graphics installation package contains an affected version of the Adobe Flash Player for Internet Explorer. This will be updated in the next release. In the meanwhile, users may update their own systems via the normal means. This only affects developer’s own systems and no Crestron products.
        2. The following products support an embedded browser control which supports Flash: DGE-1, DGE-2, TPMC-8X, TPMC-8X-GA, TPMC-V12, TPMC-V15. However, the version of Flash installed on these products is not a version affected. In addition, if the user project on the system does not support browsing to arbitrary sites, the systems are not affected. Note that this does not affect Smart Graphics projects.
        CVE-2015-5119 Detail
        1/12/2022 12:00:00 AM CVE-2018-15473: OpenSSH User Enumeration Crestron is aware of OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
         
        This vulnerability has been assigned CVE identifier CVE-2018-15473. This vulnerability affects the following products: All 3-Series Control Systems including but not limited to CP3, RMC3, CP3N, PRO3, and all "x52 Series touchscreens" including but not limited to TSW-552, TSW-1052, TSW-752, TSS-752

        Crestron 3-Series Control Systems now uses a customized version of OpenSSH. The Crestron version was modified to replace the cryptographic functions with NIST certified alternatives as well as to remove/modify vulnerable components. Crestron continues to monitor OpenSSH vulnerabilities to apply appropriate fixes.

        While the TSW and TSS panels noted use OpenSSH 7.5, they don’t support the features related to this vulnerability. Due to these circumstances, Crestron is not susceptible. Newer touchscreens use a later version of OpenSSH which is not susceptible.
        For more information, please see 3-Series Control System release notes: v.1.601.0050 CP3|CP3N|OpenSSH|PRO3|RMC3|TSW
        3/5/2015 12:00:00 AM GNU GLIBC BUFFER OVERFLOW IN DNS RESOLVER According to a Google security blog post, and documented in CVE-2015-7547, the glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected. All shipping products were reviewed and no shipping products are affected by this report.

        CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

        CVE-2015-7547 Detail

        glibc
        2/5/2015 12:00:00 AM GHOST As per CVE-2015-0235: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

        CVE-2015-0235 is a vulnerability that really doesn’t apply to Crestron’s products, as it requires a custom written program to run on the device to exploit this vulnerabilities; none of our devices really have this capability.

        However, we have looked through our products, and where applicable, have patched the libraries affected:

        The PRO3/AV3/CP3N’s router firmware has been patched, and will be available by next month.

        The ATC-AUDIONET is the only other product with libraries that have this vulnerability; at the moment, a firmware upgrade is not scheduled to resolve this, mostly due to the fact that the unit is unable to run custom code.

        CVE-2015-0235 Detail GHOST
        3/27/2020 12:00:00 AM CVE-2018-11228: Bash Shell Exploit Crestron is aware of a vulnerability that allows unauthenticated, remote code execution with the Bash shell service in Crestron Toolbox Protocol.
         
        This vulnerability has been assigned CVE identifier CVE-2018-11228 This vulnerability affects the following products: TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC.
         
        Crestron recommends that users update their firmware to v2.007.0060.001
         
        For more information, please see release notes: v2.007.0060.001 TSW|TSW-1060|TSW-1060-NC|TSW-560|TSW-560-NC|TSW-760|TSW-760-NC
        12/29/2014 12:00:00 AM HEARTBLEED

        There is a severe vulnerability in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This is a serious vulnerability which has been assigned the CVE identifier CVE-2014-0160.

        Exploitation may lead to disclosure of memory contents from the server to the client and from the client to the server. An attacker can remotely retrieve sensitive data from memory, including, but not limited to secret keys used for SSL encryption and authentication tokens.

        Crestron has carefully examined the versions of OpenSSL used in its product line. With the exception of the following three, none of Crestron's devices, software, web sites or tools have been determined to have this vulnerability.

        Crestron has incorporated a fix into firmware v1.1.1 which was released on March 10, 2015.

        1. Crestron App for iOS (Current Released Version)
          • Crestron has incorporated a fix into v1.02.42 which was released on May 28, 2014.
          • It should be noted that this application will only use SSL in connection to a Crestron Control System. To take advantage of this vulnerability in versions prior to v1.02.42, an attacker would need to coerce an end user to change application connection settings to connect to another non-control system device which was specifically coded to retrieve this data.
        2. Crestron Mobile and Crestron Mobile Pro for Android (running on Android 4.1.1 ONLY)
          • Crestron uses the built-in Android services. Customers with devices running Android 4.1.1 are urged to check with their carrier or device manufacturer for updates.
          • It should be noted that this application will only use SSL in connection to a Crestron Control System. To take advantage of this vulnerability in versions prior to v1.02.42, an attacker would need to coerce an end user to change application connection settings to connect to another non-control system device which was specifically coded to retrieve this data.
        3. Crestron AM-100 AirMedia™ Presentation Gateway
        CVE-2014-0160 Detail AM-100/101|HeartBleed|OpenSSL
        5/22/2020 12:00:00 AM CVE-2019-16905: OpenSSH Integer Overflow Crestron is aware of OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm.
         
        NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions.
         
        This vulnerability has been assigned CVE identifier CVE-2019-16905 Crestron products do not enable support for XMSS and, therefore, are not affected by this flaw.
         
        For more information, please see CVE-2019-16905
         
        OpenSSH
        11/20/2014 12:00:00 AM SCHANNEL

        Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."

        As per CVE-2014-6332, OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability" or WinShock.

        All shipping products were reviewed and the following notes are applicable:

        1. While Crestron 3-Series processors do use Windows Embedded operating systems, the kernel itself is different and it is not immediately clear if the same deficiency is present. We are working with Microsoft to make this determination. The Web Server in these processors does use SChannel for authentication if SSL is enabled. However, in most installations SSL is not enabled. This is further mitigated by the point that there is no scripting support provided on the 3-series web server and so exploitation would be more difficult.
        2. Crestron is working with Microsoft regarding and update to Crestron RL. However, as this is an embedded system with code protection enabled it is not clear the vulnerability is exploitable.
        3. Crestron is working with Microsoft regarding an update to the TPMC-V12, TPMC-V15, DGE-1. However, as this is an embedded system with code protection enabled, it is not clear the vulnerability is exploitable.
        4. Customers running Fusion are urged to make sure to apply Windows updates.
        CVE-2014-6332 Detail Microsoft|Windows
        3/28/2020 12:00:00 AM CVE-1999-0524: ICMP Exploit Crestron is aware of a vulnerability in which the ICMP protocol can send netmask and timestamp information to other hosts.
         
        This vulnerability has been assigned CVE identifier CVE-1999-0524. This vulnerability affects the following products: PRO3, RMC3 and CP3.
         
        Crestron recommends upgrading devices to current firmware available and turning ICMP OFF to mitgate risk.
        For more information, see CVE-1999-0524 CP3|ICMP|PRO3|RMC3
        7/27/2021 12:00:00 AM AM-100 and AM-100 Vulnerabilities

        AIRMEDIA AM-100 and AM-101 Vulnerabilities

        We are making the AM-100/101 firmware available today publicly. Anyone requiring assistance should reach out to True Blue Support.

        The latest AM-100/101 firmware release include fixes for the following vulnerabilities: CVE-2019-3929, CVE-2019-3930, CVE-2019-3925 CVE-2019-3926, CVE-2019-3931, CVE-2019-3932, CVE-2019-3939, CVE-2019-3927, CVE-2019-3928, CVE-2019-3933, CVE-2019-3934, CVE-2019-3935, CVE-2019-3936, CVE-2019-3937, and CVE-2019-3938. See link below under Resources.

        Please note the following vulnerabilities only affect the Airmedia AM-100 and AM-101 devices. All other second generation AirMedia devices are not affected.

        There are multiple CVEs associated with this report

        CVE-2019-3925: Unauthenticated Remote OS Command Injection via SNMP #1
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.9.3. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3926: Unauthenticated Remote Command Injection via SNMP #2
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.14.1. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3927: Unauthenticated Remote Admin Password Change via SNMP
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 anyone can change the administrator and moderator passwords via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. A remote, unauthenticated attacker can use this vulnerability to change the admin or moderator user's password and gain access to restricted areas on the HTTP interface. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3928: Unauthenticated Remote Information Leak via SNMP
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulnerability to access a restricted presentation or to become the presenter. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27. A warning will now appear if SNMP v1 or v2 is used. Crestron recommends using SNMP v3 to avoid this issue.

        CVE-2019-3929: Unauthenticated Remote OS Command Injection via file_transfer.cgi
        Crestron is aware of a vulnerability that AM-100 with firmware 1.6.0.2 and Crestron AM-101 with firmware 2.7.0.1, are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3930: Unauthenticated Remote Stack Buffer Overflow via file_transfer.cgi
        Crestron is aware of a vulnerability that AM-100 with firmware 1.6.0.2 and Crestron AM-101 with firmware 2.7.0.1, are vulnerable to a stack buffer overflow in libAwgCgi.so's PARSERtoCHAR function. A remote, unauthenticated attacker can use this vulnerability to execute arbitrary code as root via a crafted request to the return.cgi endpoint. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3931: Remote View Pass Code Bypass and Information Leak
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumentation injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attacker can use this vulnerability to upload files to the device and ultimately execute code as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3932: Authentication Bypass in return.tgi
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to authentication bypass due to a hard-coded password in return.tgi. A remote, unauthenticated attacker can use this vulnerability to control external devices via the uart_bridge. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3933: Authentication bypass to view "remote view" via HTTP browserslide.jpg
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3934: Remove View Pass Code Bypass #2
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3935: Unauthenticated Remote Moderator Controls via HTTP
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to act as a moderator to a slide show via crafted HTTP POST requests to conference.cgi. A remote, unauthenticated attacker can use this vulnerability to start, stop, and disconnect active slideshows. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3936: Unauthenticated Remote View Control via port 389
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3937: Credentials Stored in Plaintext
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, slideshow passcode, and other configuration options in cleartext in the file /tmp/scfgdndf. A local attacker can use this vulnerability to recover sensitive data. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3938: Exported Configuration Files Contain Credentials
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        Firmware Release: https://www.crestron.com/Software-Firmware/Firmware/Crestron-App-s-for-Mobile-Devices/Crestron-AirMedia-(Android)/2-0-0-3 AM-100/101
        6/29/2020 12:00:00 AM RIPPLE20: Treck TCP/IP Stack Crestron is aware of a public report, known as “Ripple20” that details vulnerabilities found in the Treck TCP/IP stack. Crestron is issuing this advisory to provide notice of the reported vulnerabilities. This vulnerability has been assigned multiple CVE identifiers. See list below. We have reviewed our product lines and confirmed with our vendors this reported vulnerability does not affect any Crestron products.

        Assigned CVE identifiers:
        To receive more information about the vulnerabilities or the Treck release containing fixes, or for patches for all of these reported issues, please contact security@treck.com.

        CERT Coordination Center Advisory – https://kb.cert.org/vuls/id/257161
        ICS-CERT Advisory – https://www.us-cert.gov/ics/advisories/icsa-20-168-01
        6/7/2019 12:00:00 AM CVE-2019-9006: CP3N/PRO3/AV3 Crestron is aware of a vulnerability with the CP3N, Pro3, and AV3 devices which allows attackers to change firewalls rules, scan the internal network, download and run scripts through the remote root shell on the router via telnet access. This vulnerability has been assigned CVE identifier CVE-2019-9006 This vulnerability has been resolved in the current firmware upgrade. Crestron recommends upgrading devices with current firmware available on the product page.

        Minimum firmware versions to address this vulnerability: v.1.600.0092
        v.1.600.0092 Release Notes AV3|CP3N|PRO3|router
        9/25/2020 12:00:00 AM CVE-2020-16839: PASSWORD CHANGE VIA WEBSOCKET REQUEST Crestron is aware of a vulnerability in the web application which allows the password to be changed by sending an unauthenticated Websocket request
         
        This vulnerability has been assigned CVE identifier CVE-2020-16839. This vulnerability affects the following products: DM-NVX-DIR-80, DM-NVX-DIR-160, DM-NVX-DIR-ENT
         
        This vulnerability has been resolved in the current firmware upgrade. Crestron recommends upgrading devices with current firmware available on the product page.
         
        Minimum firmware versions to address this vulnerability: v.1.0.3.802
        For more information, please see release notes: v.1.0.3.802 DIR|DM|NVX
        12/22/2020 12:00:00 AM Solarwinds Several technology companies recently disclosed a sophisticated supply chain attack that used malicious Solarwinds Orion software to compromise government and business networks across the world.  Based on available information of the threat and a thorough review of our internal environment, we can share that this attack has not impacted Crestron.  We have not used the Solarwinds software version reported to be compromised. 
         
        Solarwinds
        7/20/2021 12:00:00 AM Frag Attack Crestron is aware of a series of 12 vulnerabilities in the 802.11 standard. These are described in the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation, which was made public 5/11/2021.

        Three of these vulnerabilities are considered design vulnerabilities, while the other nine are implementation vulnerabilities. These vulnerabilities could allow an attacker to forge data, which in turn could enable the attacker access to sensitive data from a device. 


         
        CVE-2020-24588, CVE-2020-24587, CVE-2020-24586, CVE-2020-26145, CVE-2020-26144, CVE-2020-26140, CVE-2020-26143, CVE-2020-26139, CVE-2020-26146, CVE-2020-26147, CVE-2020-26142, CVE-2020-26141 Crestron is reviewing its product line to identify any affected products. This advisory will be updated as further information is available. 

        TSR-310
        Status: Affected
        Release Availability: Please update to firmware version 2.001.0104.001 or higher.

        HZ-THSTAT
        Status: Affected
        Release Availability: Please update to version 1.001.0000.001 or higher. 

        All models of TS-1070, TSW-1070, TS-770, TSW-770, TS-570, TSW-570 touch screens
        Status: Affected
        Release Availability: N/A

        CEN-IO-IR-204, CEN-IO-DIGIN-204, CEN-IO-RY-204
        Status: Affected
        Release Availability: Expected January 2022.

        All models of UC-2, UC-MM30, UC-MMX30 systems (Mercury Mini)
        Status: Affected
        Release Availability: Please update to version 1.0.4.30 or higher. New devices are shipped with at least this version. GA for updates expected November 2021.

        All models of UC-P8, UC-P10 
        Status: Affected
        Release Availability: Please update to version 1.0.4.22 or higher. New devices are shipped with at least this version. GA for updates expected January 2022.

        TST-902
        Status: Affected
        Release Availability:  Please update to version 1.004.0018 or higher. Release availability expected January 2022.

        AM-USB-WF
        Status: Affected
        Release Availability: TBD

         
        The security researcher’s description of the flaws can be found at https://www.fragattacks.com/.

        These vulnerabilities have been assigned the following CVEs.

        The following are design flaws:
        • CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
        • CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
        • CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
        These implementation vulnerabilities allow the trivial injection of plain text frames in a protected Wi-Fi network:
        • CVE-2020-26145: Accepting plain text broadcast fragments as full frames (in an encrypted network).
        • CVE-2020-26144: Accepting plain text A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
        • CVE-2020-26140: Accepting plain text data frames in a protected network.
        • CVE-2020-26143: Accepting fragmented plain text data frames in a protected network.
        These are other implementation vulnerabilities:
        • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
        • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
        • CVE-2020-26147: Reassembling mixed encrypted/plain text fragments.
        • CVE-2020-26142: Processing fragmented frames as full frames.
        • CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
        Frag|WiFi
        7/16/2019 12:00:00 AM CVE-2019-13450: ZOOM CLIENT Crestron is aware of a vulnerability within the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on MacOS. Remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424.

        NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
        This vulnerability has been assigned CVE identifier CVE-2019-13450 Crestron and Zoom have reviewed the vulnerability report and has confirmed that it does not affect any Crestron products. For more information see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450 13450|MacOs|Mercury|RingCentral|Zoom
        8/25/2021 12:00:00 AM ThroughTek's Kalay Platform There is a critical vulnerability that has been discovered that affects the IoT devices that use ThroughTek’s “Kalay” network. Exploiting this vulnerability allows the attacker to listen to live audio, watch real time video data and compromise the credentials on the device for further attacks. This can let the attacker remotely control the device.
         
        This vulnerability has been assigned CVE identifier CVE-2021-28372 This vulnerability has no impact on Crestron devices as they do not use the ThroughTek “Kalay” network.
         
        CVE-2021-28372
        11/9/2021 12:00:00 AM NUCLEUS:13 A set of vulnerabilities related to the Nucleus Operating System were disclosed by Siemens on November 9, 2021. The official report can be found here and the researcher’s findings can be found here.
        These vulnerabilities have been assigned the following CVEs.
        • CVE-2021-31344 - ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network.
        •  CVE-2021-31345 - The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol.
        • CVE-2021-31346 - The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.
        • CVE-2021-31881- When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
        • CVE-2021-31882 - The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions.
        • CVE-2021-31883 - When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
        • CVE-2021-31884 - The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions.
        • CVE-2021-31885 - TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands.
        • CVE-2021-31886 - FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
        • CVE-2021-31887 - FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
        • CVE-2021-31888 - FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
        • CVE-2021-31889 - Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions.
        • CVE-2021-31890 - The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.
        2021-31885, 2021-31886, 2021-31887, 2021-31888, 2021-31881, 2021-31882, 2021-31883, 2021-31884, 2021-31344, 2021-31345, 2021-31346, 2021-31889, 2021-31890 Crestron has reviewed products utilizing Nucleus and has found none of its products to be affected.

        For reference, a partial list of Crestron products utilizing Nucleus follows:
        • 2-Series Control Processors – most of these products are discontinued with the notable exceptions of the GLPAC and GL-IPAC
        • DM-MD6X4 and DM-MD6X6
        • DMC-CPU-8/16
        • DMPS3-300-C and DMPS3-300-C-AEC - (Used on Internal Components only - no direct network access)
        • SWAMP and related products
        • CEN-TRACK
        https://www.forescout.com/research-labs/nucleus-13/
        https://www.siemens.com/cert/advisories

        direct link to

        • pdf: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf
        • txt: https://cert-portal.siemens.com/productcert/txt/ssa-044112.txt
        • csaf: https://cert-portal.siemens.com/productcert/csaf/ssa-044112.json
        NUCLEUS
        12/15/2021 12:00:00 AM Apache Log4j From the offiical vulnerability registration: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. It was later found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 

         
        CVE-2021-44228, CVE-2021-4104, CVE-2021-45046

        Crestron has completed a review of all its products and services and have found none which use Log4j and therefore none are affected by this vulnerability.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
         
        Java|Log4j|Log4Shell
        1/24/2022 12:00:00 AM CVE-2022-23178: Web Interface Credentials in Cleartext Crestron is aware of an issue discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields. CVE-2022-23178 This vulnerability affects the following products:
        • HD-MD4x1-4K-E
        • HD-MD4x2-4K-E
        • HD-MD6x2-4K-E
        Crestron recommends placing the devices on an isolated network.
        Note that the following (4KZ) models are NOT affected by this vulnerability and can be used in place of the affected products.
        • HD-MD4x1-4KZ-E
        • HD-MD4x2-4KZ-E
        • HD-MD6x2-4KZ-E
        For more information, please see: CVE-2022-23178
         
        3/31/2022 12:00:00 AM CVE-2022-22965: Spring4Shell This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Crestron products do not make use of this framework and as such are not vulnerable. https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
         
        5/17/2022 12:00:00 AM CVE-2022-22707: Lighttpd Denial-of-Service Crestron is aware of an issue affecting lighttpd versions 1.4.46 through 1.4.63. Under certain non-default configurations, an attacker can perform a remote denial of service attack with a stack-based buffer overflow. CVE-2022-22707 Crestron devices are not affected because they do not utilize the vulnerable configurations. For more information, please see CVE-2022-22707
        9/9/2022 12:00:00 AM CVE-2022-34100: AirMedia Binary Hijack The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation. CVE-2022-34100 Please update the AirMedia Deployable and Guest Application to version 5.5.1.87 to resolve this issue For more information, please see CVE-2022-34100
         
        9/9/2022 12:00:00 AM CVE-2022-34101: AirMedia Rogue DLL The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack. CVE-2022-34101 Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue. For more information, please see CVE-2022-34101
        9/9/2022 12:00:00 AM CVE-2022-34102: AirMedia Command Prompt Hijack The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt. CVE-2022-34102 Please update the Air Media Deployable and Guest Applications to version 5.5.1.87 to resolve this issue. For more information, please see CVE-2022-34102
        9/16/2022 12:00:00 AM CVE-2022-40298: AirMedia Privilege Escalation The Lockheed Martin Red Team has discovered a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell. This vulnerability has been classified as CVE-2022-40298. Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue For more information, please see CVE-2022-40298
        11/18/2022 12:00:00 AM CVE-2022-3602: X.509 Certificate Buffer Overflow (OpenSSL) OpenSSL has discovered a vulnerability where an attacker can use a malicious email address to send a specifically constructed certificate to an application. The application receiving the certificate will overwrite memory and crash. This can lead to a denial of service, or allow the attacker to gain remote control over the affected system. This vulnerability has been classified as CVE-2022-3602 and CVE-2022-3786 This vulnerability affects the UC-Engine product line on version 1.00.22.766. Crestron is planning a release, version 1.00.22.786, to fix this issue.

        Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 will be available via XiO Cloud and Crestron Support on Monday, December 12th and will be available as a Windows Update later on.
        For more information, please see: 
        CVE-2022-3786
        CVE-2022-3602
        https://www.openssl.org/news/secadv/20221101.txt
        https://mta.openssl.org/pipermail/openssl-announce/2022-November/000241.html
        https://www.cisa.gov/uscert/ncas/current-activity/2022/11/01/openssl-releases-security-update

         
        OpenSSL
        1/23/2023 12:00:00 AM CVE-2022-2068: C_Rehash Command Injection Crestron is aware of an issue in which the c_rehash script does not properly sanitize the shell metacharacters to prevent a command injection. The script can be automatically executed on some operating systems allowing an attacker to arbitrarily execute commands with elevated privileges. This vulnerability is a continuation of CVE-2022-1292, which has already been fixed. This vulnerability has been identified as CVE-2022-2068 The UC-Engine product line is not affected by this issue since the script mentioned above isn’t used. Crestron recommends updating to version 1.00.22.786 to fix any other present OpenSSL vulnerabilities.
         
        For additional information, please see CVE-2022-2068. OpenSSL
        1/23/2023 12:00:00 AM CVE-2022-2097: OpenSSL AES OCB Vulnerability Crestron is aware of an issue with OpenSSL in which AES OCB mode for 32-bit x86 platforms would not encrypt all the data under certain circumstances. This would allow an attacker to see 16 bytes of preexisting memory in plaintext. This vulnerability has been classified as CVE-2022-2097. This vulnerability affects the UC-Engine product line on version 1.00.22.766. Version 1.00.22.786, which fixes this issue, has been released.

        Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 is available via XiO Cloud and Crestron Support and will be available as a Windows Update in the near future.
         
        For more information, please see: CVE-2022-2097. OpenSSL
        1/23/2023 12:00:00 AM CVE-2022-3358: Incorrect Cipher Vulnerability Crestron is aware of an issue with OpenSSL in which using a custom cipher with a specific legacy function will cause OpenSSL to incorrectly call the function. It will instead call a different cipher from available providers. This can result in disclosure of sensitive information. This vulnerability has been classified as CVE-2022-3358. The UC-Engine product line is not affected by this issue since it doesn’t use the legacy function associated with this vulnerability. Crestron recommends updating to version 1.00.22.786 to resolve any other present OpenSSL vulnerabilities.
         
        For more Information, please see CVE-2022-3358
         
        OpenSSL
        4/13/2023 12:00:00 AM CVE-2023-1017/1018: TPM 2.0 Module Out Of Bounds Vulnerability Crestron is aware of an issue with TPM’s 2.0 Module Library in which an out of bounds attack can be executed. An attacker performing this action can cause a denial of service and access sensitive data stored in the TPM. These vulnerabilities have been identified as CVE-2023-1017/1018 Based on the information that is currently available, there are no Crestron products that are vulnerable. For more information, please see:
        CVE-2023-1017
        CVE-2023-1018
        6/22/2023 12:00:00 AM ADB Port Vulnerability It has come to Crestron's attention that the x70 series of Touch Panels have inadvertently enabled diagnostic ports in firmware version 2.004.1026. This could potentially allow unauthorized individuals to run uncertified applications on the device. This vulnerability affects the following products: TSW-570, TSW-770, TSW-1070, TS-770, TS-1070, TSS-770 and TSS-1070

        If you are using a device with firmware version 2.004.1026, it is recommended that you update your firmware to version 2.004.1029 or higher. You can download the update through XiO Cloud or from Crestron.com. If you have any other concerns or requests, please get in touch with Crestron Support.
        7/25/2023 12:00:00 AM CVE-2023-38405: BACnet Infinite Loop Crestron is aware of an issue on the 3-Series Control Systems where crafting and sending a specific BACnet packet can crash the system. This vulnerability has been classified as CVE-2023-38405

        This vulnerability affects all 3-Series Control systems running versions prior to 1.8001.0187. These systems include, but are not limited to:
        CP3N
        CP3
        RMC3
        PRO3

        Please note: The 3-Series Control System is only affected if BACnet is in use.

        For more information, please see CVE-2023-38405

        1/23/2024 12:00:00 AM CVE-2023-6926: Airmedia Remote Code Execution Uri Katz of Claroty Research -Team82 has discovered a vulnerability on the Airmedia 300 where an attacker is able to run arbitrary OS commands after uploading a specifically crafted script using console commands. This vulnerability has been classified as CVE-2023-6926. This issue on Airmedia 200 and 300 series has been resolved in firmware version 1.4499.00023.001.
        On the Airmedia 3100 and 3200 series, this issue has been resolved in firmware version 3.0300.0071. Customers should update their devices to the latest firmware.
        For more information, please see:
        CVE-2023-6926 (mitre.org)
        Crestron AM-300 | CISA
        AM

        Resources & Documentation

        Updated: 04/05/2024

        The documents below describe in-depth the steps needed to secure a Crestron installation. These documents assume the reader has a basic understanding of security functions and protocols.

        Crestron Toolbox Help Files
        MyCrestron.com
        Support
        Additional Resources

        Security Advisories

        Vulnerability:

         

        Updated Date:

         

        Threat:

         

        Identifier:

         

        How is Crestron Affected:

         

        Resources: