CVE-2023-1017/1018: TPM 2.0 Module Out Of Bounds Vulnerability
04/13/23
More information
Threat:
Crestron is aware of an issue with TPM’s 2.0 Module Library in which an out of bounds attack can be executed. An attacker performing this action can cause a denial of service and access sensitive data stored in the TPM.
Identifier:
These vulnerabilities have been identified as CVE-2023-1017/1018
How is Crestron Affected:
Based on the information that is currently available, there are no Crestron products that are vulnerable.
CVE-2022-2068: C_Rehash Command Injection
01/23/23
More information
Threat:
Crestron is aware of an issue in which the c_rehash script does not properly sanitize the shell metacharacters to prevent a command injection. The script can be automatically executed on some operating systems allowing an attacker to arbitrarily execute commands with elevated privileges. This vulnerability is a continuation of
CVE-2022-1292, which has already been fixed.
Identifier:
This vulnerability has been identified as CVE-2022-2068
How is Crestron Affected:
The UC-Engine product line is not affected by this issue since the script mentioned above isn’t used. Crestron recommends updating to version 1.00.22.786 to fix any other present OpenSSL vulnerabilities.
CVE-2022-2097: OpenSSL AES OCB Vulnerability
01/23/23
More information
Threat:
Crestron is aware of an issue with OpenSSL in which AES OCB mode for 32-bit x86 platforms would not encrypt all the data under certain circumstances. This would allow an attacker to see 16 bytes of preexisting memory in plaintext.
Identifier:
This vulnerability has been classified as CVE-2022-2097.
How is Crestron Affected:
This vulnerability affects the UC-Engine product line on version 1.00.22.766. Version 1.00.22.786, which fixes this issue, has been released.
Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 is available via XiO Cloud and Crestron Support and will be available as a Windows Update in the near future.
CVE-2022-3358: Incorrect Cipher Vulnerability
01/23/23
More information
Threat:
Crestron is aware of an issue with OpenSSL in which using a custom cipher with a specific legacy function will cause OpenSSL to incorrectly call the function. It will instead call a different cipher from available providers. This can result in disclosure of sensitive information.
Identifier:
This vulnerability has been classified as CVE-2022-3358.
How is Crestron Affected:
The UC-Engine product line is not affected by this issue since it doesn’t use the legacy function associated with this vulnerability. Crestron recommends updating to version 1.00.22.786 to resolve any other present OpenSSL vulnerabilities.
CVE-2022-3602: X.509 Certificate Buffer Overflow (OpenSSL)
11/18/22
More information
Threat:
OpenSSL has discovered a vulnerability where an attacker can use a malicious email address to send a specifically constructed certificate to an application. The application receiving the certificate will overwrite memory and crash. This can lead to a denial of service, or allow the attacker to gain remote control over the affected system.
Identifier:
This vulnerability has been classified as CVE-2022-3602 and CVE-2022-3786
How is Crestron Affected:
This vulnerability affects the UC-Engine product line on version 1.00.22.766. Crestron is planning a release, version 1.00.22.786, to fix this issue.
Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 will be available via XiO Cloud and Crestron Support on Monday, December 12th and will be available as a Windows Update later on.
CVE-2022-40298: AirMedia Privilege Escalation
09/16/22
More information
Threat:
The Lockheed Martin Red Team has discovered a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell.
Identifier:
This vulnerability has been classified as CVE-2022-40298.
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue
CVE-2022-34100: AirMedia Binary Hijack
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation.
Identifier:
CVE-2022-34100
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Application to version 5.5.1.87 to resolve this issue
CVE-2022-34101: AirMedia Rogue DLL
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack.
Identifier:
CVE-2022-34101
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.
CVE-2022-34102: AirMedia Command Prompt Hijack
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
Identifier:
CVE-2022-34102
How is Crestron Affected:
Please update the Air Media Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.
CVE-2022-22707: Lighttpd Denial-of-Service
05/17/22
More information
Threat:
Crestron is aware of an issue affecting lighttpd versions 1.4.46 through 1.4.63. Under certain non-default configurations, an attacker can perform a remote denial of service attack with a stack-based buffer overflow.
Identifier:
CVE-2022-22707
How is Crestron Affected:
Crestron devices are not affected because they do not utilize the vulnerable configurations.
|<
<
1 2 3 4 5 6
>
>|
Pages: 1 of 6