ThroughTek's Kalay Platform
08/25/21
More information
Threat:
There is a critical vulnerability that has been discovered that affects the IoT devices that use ThroughTek’s “Kalay” network. Exploiting this vulnerability allows the attacker to listen to live audio, watch real time video data and compromise the credentials on the device for further attacks. This can let the attacker remotely control the device.
Identifier:
This vulnerability has been assigned CVE identifier CVE-2021-28372
How is Crestron Affected:
This vulnerability has no impact on Crestron devices as they do not use the ThroughTek “Kalay” network.
AM-100 and AM-100 Vulnerabilities
07/27/21
More information
Threat:
AIRMEDIA AM-100 and AM-101 Vulnerabilities
We are making the AM-100/101 firmware available today publicly. Anyone requiring assistance should reach out to True Blue Support.
The latest AM-100/101 firmware release include fixes for the following vulnerabilities: CVE-2019-3929, CVE-2019-3930, CVE-2019-3925 CVE-2019-3926, CVE-2019-3931, CVE-2019-3932, CVE-2019-3939, CVE-2019-3927, CVE-2019-3928, CVE-2019-3933, CVE-2019-3934, CVE-2019-3935, CVE-2019-3936, CVE-2019-3937, and CVE-2019-3938. See link below under Resources.
Please note the following vulnerabilities only affect the Airmedia AM-100 and AM-101 devices. All other second generation AirMedia devices are not affected.
Identifier:
There are multiple CVEs associated with this report
How is Crestron Affected:
CVE-2019-3925: Unauthenticated Remote OS Command Injection via SNMP #1
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.9.3. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3926: Unauthenticated Remote Command Injection via SNMP #2
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.14.1. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3927: Unauthenticated Remote Admin Password Change via SNMP
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 anyone can change the administrator and moderator passwords via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. A remote, unauthenticated attacker can use this vulnerability to change the admin or moderator user's password and gain access to restricted areas on the HTTP interface. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3928: Unauthenticated Remote Information Leak via SNMP
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulnerability to access a restricted presentation or to become the presenter. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27. A warning will now appear if SNMP v1 or v2 is used. Crestron recommends using SNMP v3 to avoid this issue.
CVE-2019-3929: Unauthenticated Remote OS Command Injection via file_transfer.cgi
Crestron is aware of a vulnerability that AM-100 with firmware 1.6.0.2 and Crestron AM-101 with firmware 2.7.0.1, are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3930: Unauthenticated Remote Stack Buffer Overflow via file_transfer.cgi
Crestron is aware of a vulnerability that AM-100 with firmware 1.6.0.2 and Crestron AM-101 with firmware 2.7.0.1, are vulnerable to a stack buffer overflow in libAwgCgi.so's PARSERtoCHAR function. A remote, unauthenticated attacker can use this vulnerability to execute arbitrary code as root via a crafted request to the return.cgi endpoint. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3931: Remote View Pass Code Bypass and Information Leak
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumentation injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attacker can use this vulnerability to upload files to the device and ultimately execute code as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3932: Authentication Bypass in return.tgi
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to authentication bypass due to a hard-coded password in return.tgi. A remote, unauthenticated attacker can use this vulnerability to control external devices via the uart_bridge. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3933: Authentication bypass to view "remote view" via HTTP browserslide.jpg
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3934: Remove View Pass Code Bypass #2
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3935: Unauthenticated Remote Moderator Controls via HTTP
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to act as a moderator to a slide show via crafted HTTP POST requests to conference.cgi. A remote, unauthenticated attacker can use this vulnerability to start, stop, and disconnect active slideshows. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3936: Unauthenticated Remote View Control via port 389
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3937: Credentials Stored in Plaintext
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, slideshow passcode, and other configuration options in cleartext in the file /tmp/scfgdndf. A local attacker can use this vulnerability to recover sensitive data. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3938: Exported Configuration Files Contain Credentials
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
Frag Attack
07/20/21
More information
Threat:
Crestron is aware of a series of 12 vulnerabilities in the 802.11 standard. These are described in the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation, which was made public 5/11/2021.
Three of these vulnerabilities are considered design vulnerabilities, while the other nine are implementation vulnerabilities. These vulnerabilities could allow an attacker to forge data, which in turn could enable the attacker access to sensitive data from a device.
Identifier:
CVE-2020-24588, CVE-2020-24587, CVE-2020-24586, CVE-2020-26145, CVE-2020-26144, CVE-2020-26140, CVE-2020-26143, CVE-2020-26139, CVE-2020-26146, CVE-2020-26147, CVE-2020-26142, CVE-2020-26141
How is Crestron Affected:
Crestron is reviewing its product line to identify any affected products. This advisory will be updated as further information is available.
TSR-310
Status: Affected
Release Availability: Please update to firmware version 2.001.0104.001 or higher.
HZ-THTSTAT
Status: Affected
Release Availability: Please update to version 1.001.0000.001 or higher. Expected to be released September 2021.
All models of TS-1070, TSW-1070, TS-770, TSW-770, TS-570, TSW-570 touch screens
Status: Affected
Release Availability: N/A
CEN-IO-IR-204, CEN-IO-DIGIN-204, CEN-IO-RY-204
Status: Affected
Release Availability: Expected by end of Q3'21
All models of UC-2, UC-MM30, UC-MMX30 systems (Mercury Mini)
Status: Affected
Release Availability: Please update to version 1.0.4.30 or higher. Expected to be released September 2021
All models of UC-P8, UC-P10
Status: Affected
Release Availability: Please update to version 1.0.4.22 or higher. Expected to be released October 2021
TST-902
Status: Under evaluation
AM-USB-WF
Status: Affected
Release Availability: TBD
Resources:
The security researcher’s description of the flaws can be found at
https://www.fragattacks.com/.
These vulnerabilities have been assigned the following CVEs.
The following are design flaws:
- CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
These implementation vulnerabilities allow the trivial injection of plain text frames in a protected Wi-Fi network:
- CVE-2020-26145: Accepting plain text broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plain text A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plain text data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plain text data frames in a protected network.
These are other implementation vulnerabilities:
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plain text fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
Solarwinds
12/22/20
More information
Threat:
Several technology companies recently disclosed a sophisticated supply chain attack that used malicious Solarwinds Orion software to compromise government and business networks across the world.
How is Crestron Affected:
Based on available information of the threat and a thorough review of our internal environment, we can share that this attack has not impacted Crestron. We have not used the Solarwinds software version reported to be compromised.
CVE-2020-16839: PASSWORD CHANGE VIA WEBSOCKET REQUEST
09/25/20
More information
Threat:
Crestron is aware of a vulnerability in the web application which allows the password to be changed by sending an unauthenticated Websocket request
Identifier:
This vulnerability has been assigned CVE identifier CVE-2020-16839.
How is Crestron Affected:
This vulnerability affects the following products:
DM-NVX-DIR-80, DM-NVX-DIR-160, DM-NVX-DIR-ENT
This vulnerability has been resolved in the current firmware upgrade. Crestron recommends upgrading devices with current firmware available on the product page.
Minimum firmware versions to address this vulnerability:
v.1.0.3.802
Resources:
For more information, please see release notes:
v.1.0.3.802
RIPPLE20: Treck TCP/IP Stack
06/29/20
More information
Threat:
Crestron is aware of a public report, known as “Ripple20” that details vulnerabilities found in the Treck TCP/IP stack. Crestron is issuing this advisory to provide notice of the reported vulnerabilities.
Identifier:
This vulnerability has been assigned multiple CVE identifiers. See list below.
How is Crestron Affected:
We have reviewed our product lines and confirmed with our vendors this reported vulnerability does not affect any Crestron products.
Assigned
CVE identifiers:
CVE-2018-15473: OpenSSH User Enumeration
05/22/20
More information
Threat:
Crestron is aware of OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
Identifier:
This vulnerability has been assigned CVE identifier CVE-2018-15473.
How is Crestron Affected:
This vulnerability affects the following products: CP3, RMC3, CP3N, PRO3
Crestron 3-Series Control Systems now uses a customized version of OpenSSH. The Crestron version was modified to replace the cryptographic functions with NIST certified alternatives as well as to remove/modify vulnerable components. Crestron continues to monitor OpenSSH vulnerabilities to apply appropriate fixes.
Resources:
For more information, please see release notes:
v.1.601.0050
CVE-2019-16905: OpenSSH Integer Overflow
05/22/20
More information
Threat:
Crestron is aware of OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm.
NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions.
Identifier:
This vulnerability has been assigned CVE identifier CVE-2019-16905
How is Crestron Affected:
Crestron products do not enable support for XMSS and, therefore, are not affected by this flaw.
CVE-1999-0524: ICMP Exploit
03/28/20
More information
Threat:
Crestron is aware of a vulnerability in which the ICMP protocol can send netmask and timestamp information to other hosts.
Identifier:
This vulnerability has been assigned CVE identifier CVE-1999-0524.
How is Crestron Affected:
This vulnerability affects the following products: PRO3, RMC3 and CP3.
Crestron recommends upgrading devices to current firmware available and turning ICMP OFF to mitgate risk.
CVE-2018-11228: Bash Shell Exploit
03/27/20
More information
Threat:
Crestron is aware of a vulnerability that allows unauthenticated, remote code execution with the Bash shell service in Crestron Toolbox Protocol.
Identifier:
This vulnerability has been assigned CVE identifier CVE-2018-11228
How is Crestron Affected:
This vulnerability affects the following products: TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC.
Crestron recommends that users update their firmware to v2.007.0060.001
|<
<
1 2 3 4 5
>
>|
Pages: 1 of 5