CVE-2022-40298: AirMedia Privilege Escalation
09/16/22
More information
Threat:
The Lockheed Martin Red Team has discovered a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell.
Identifier:
This vulnerability has been classified as CVE-2022-40298.
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue
CVE-2022-34100: AirMedia Binary Hijack
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation.
Identifier:
CVE-2022-34100
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Application to version 5.5.1.87 to resolve this issue
CVE-2022-34101: AirMedia Rogue DLL
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack.
Identifier:
CVE-2022-34101
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.
CVE-2022-34102: AirMedia Command Prompt Hijack
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
Identifier:
CVE-2022-34102
How is Crestron Affected:
Please update the Air Media Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.
CVE-2022-22707: Lighttpd Denial-of-Service
05/17/22
More information
Threat:
Crestron is aware of an issue affecting lighttpd versions 1.4.46 through 1.4.63. Under certain non-default configurations, an attacker can perform a remote denial of service attack with a stack-based buffer overflow.
Identifier:
CVE-2022-22707
How is Crestron Affected:
Crestron devices are not affected because they do not utilize the vulnerable configurations.
CVE-2022-22965: Spring4Shell
03/31/22
More information
Threat:
This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
How is Crestron Affected:
Crestron products do not make use of this framework and as such are not vulnerable.
Resources:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
CVE-2022-23178: Web Interface Credentials in Cleartext
01/24/22
More information
Threat:
Crestron is aware of an issue discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
Identifier:
CVE-2022-23178
How is Crestron Affected:
This vulnerability affects the following products:
- HD-MD4x1-4K-E
- HD-MD4x2-4K-E
- HD-MD6x2-4K-E
Crestron recommends placing the devices on an isolated network.
Note that the following (4KZ) models are NOT affected by this vulnerability and can be used in place of the affected products.
- HD-MD4x1-4KZ-E
- HD-MD4x2-4KZ-E
- HD-MD6x2-4KZ-E
CVE-2018-15473: OpenSSH User Enumeration
01/12/22
More information
Threat:
Crestron is aware of OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
Identifier:
This vulnerability has been assigned CVE identifier CVE-2018-15473.
How is Crestron Affected:
This vulnerability affects the following products: All 3-Series Control Systems including but not limited to CP3, RMC3, CP3N, PRO3, and all "x52 Series touchscreens" including but not limited to TSW-552, TSW-1052, TSW-752, TSS-752
Crestron 3-Series Control Systems now uses a customized version of OpenSSH. The Crestron version was modified to replace the cryptographic functions with NIST certified alternatives as well as to remove/modify vulnerable components. Crestron continues to monitor OpenSSH vulnerabilities to apply appropriate fixes.
While the TSW and TSS panels noted use OpenSSH 7.5, they don’t support the features related to this vulnerability. Due to these circumstances, Crestron is not susceptible. Newer touchscreens use a later version of OpenSSH which is not susceptible.
Resources:
For more information, please see 3-Series Control System release notes:
v.1.601.0050
Apache Log4j
12/15/21
More information
Threat:
From the offiical vulnerability registration: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. It was later found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
Identifier:
CVE-2021-44228, CVE-2021-4104, CVE-2021-45046
How is Crestron Affected:
Crestron has completed a review of all its products and services and have found none which use Log4j and therefore none are affected by this vulnerability.
Resources:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
NUCLEUS:13
11/09/21
More information
Threat:
A set of vulnerabilities related to the Nucleus Operating System were disclosed by Siemens on November 9, 2021. The official report can be found
here and the researcher’s findings can be found
here.
These vulnerabilities have been assigned the following CVEs.
- CVE-2021-31344 - ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network.
- CVE-2021-31345 - The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol.
- CVE-2021-31346 - The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.
- CVE-2021-31881- When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
- CVE-2021-31882 - The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions.
- CVE-2021-31883 - When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
- CVE-2021-31884 - The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions.
- CVE-2021-31885 - TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands.
- CVE-2021-31886 - FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
- CVE-2021-31887 - FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
- CVE-2021-31888 - FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
- CVE-2021-31889 - Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions.
- CVE-2021-31890 - The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.
Identifier:
2021-31885, 2021-31886, 2021-31887, 2021-31888, 2021-31881, 2021-31882, 2021-31883, 2021-31884, 2021-31344, 2021-31345, 2021-31346, 2021-31889, 2021-31890
How is Crestron Affected:
Crestron has reviewed products utilizing Nucleus and has found none of its products to be affected.
For reference, a partial list of Crestron products utilizing Nucleus follows:
- 2-Series Control Processors – most of these products are discontinued with the notable exceptions of the GLPAC and GL-IPAC
- DM-MD6X4 and DM-MD6X6
- DMC-CPU-8/16
- DMPS3-300-C and DMPS3-300-C-AEC - (Used on Internal Components only - no direct network access)
- SWAMP and related products
- CEN-TRACK
Resources:
https://www.forescout.com/research-labs/nucleus-13/
https://www.siemens.com/cert/advisories
direct link to
- pdf: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf
- txt: https://cert-portal.siemens.com/productcert/txt/ssa-044112.txt
- csaf: https://cert-portal.siemens.com/productcert/csaf/ssa-044112.json
|<
<
1 2 3 4 5 6
>
>|
Pages: 1 of 6