Products

    Pages

        Security Advisories

        Filter by Tags

        Vulnerability
        Updated Date
        Threat
        Identifier
        How is Crestron Affected
        Resources
        CVE-2023-1017/1018: TPM 2.0 Module Out Of Bounds Vulnerability
        04/13/23
        More information
        Threat:
        Crestron is aware of an issue with TPM’s 2.0 Module Library in which an out of bounds attack can be executed. An attacker performing this action can cause a denial of service and access sensitive data stored in the TPM.
        Identifier:
        These vulnerabilities have been identified as CVE-2023-1017/1018
        How is Crestron Affected:
        Based on the information that is currently available, there are no Crestron products that are vulnerable.
        Resources:
        For more information, please see:
        CVE-2023-1017
        CVE-2023-1018
        CVE-2022-2068: C_Rehash Command Injection
        01/23/23
        More information
        Threat:
        Crestron is aware of an issue in which the c_rehash script does not properly sanitize the shell metacharacters to prevent a command injection. The script can be automatically executed on some operating systems allowing an attacker to arbitrarily execute commands with elevated privileges. This vulnerability is a continuation of CVE-2022-1292, which has already been fixed.
        Identifier:
        This vulnerability has been identified as CVE-2022-2068
        How is Crestron Affected:
        The UC-Engine product line is not affected by this issue since the script mentioned above isn’t used. Crestron recommends updating to version 1.00.22.786 to fix any other present OpenSSL vulnerabilities.
         
        Resources:
        For additional information, please see CVE-2022-2068.
        CVE-2022-2097: OpenSSL AES OCB Vulnerability
        01/23/23
        More information
        Threat:
        Crestron is aware of an issue with OpenSSL in which AES OCB mode for 32-bit x86 platforms would not encrypt all the data under certain circumstances. This would allow an attacker to see 16 bytes of preexisting memory in plaintext.
        Identifier:
        This vulnerability has been classified as CVE-2022-2097.
        How is Crestron Affected:
        This vulnerability affects the UC-Engine product line on version 1.00.22.766. Version 1.00.22.786, which fixes this issue, has been released.

        Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 is available via XiO Cloud and Crestron Support and will be available as a Windows Update in the near future.
         
        Resources:
        For more information, please see: CVE-2022-2097.
        CVE-2022-3358: Incorrect Cipher Vulnerability
        01/23/23
        More information
        Threat:
        Crestron is aware of an issue with OpenSSL in which using a custom cipher with a specific legacy function will cause OpenSSL to incorrectly call the function. It will instead call a different cipher from available providers. This can result in disclosure of sensitive information.
        Identifier:
        This vulnerability has been classified as CVE-2022-3358.
        How is Crestron Affected:
        The UC-Engine product line is not affected by this issue since it doesn’t use the legacy function associated with this vulnerability. Crestron recommends updating to version 1.00.22.786 to resolve any other present OpenSSL vulnerabilities.
         
        Resources:
        For more Information, please see CVE-2022-3358
         
        CVE-2022-3602: X.509 Certificate Buffer Overflow (OpenSSL)
        11/18/22
        More information
        Threat:
        OpenSSL has discovered a vulnerability where an attacker can use a malicious email address to send a specifically constructed certificate to an application. The application receiving the certificate will overwrite memory and crash. This can lead to a denial of service, or allow the attacker to gain remote control over the affected system.
        Identifier:
        This vulnerability has been classified as CVE-2022-3602 and CVE-2022-3786
        How is Crestron Affected:
        This vulnerability affects the UC-Engine product line on version 1.00.22.766. Crestron is planning a release, version 1.00.22.786, to fix this issue.

        Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 will be available via XiO Cloud and Crestron Support on Monday, December 12th and will be available as a Windows Update later on.
        CVE-2022-40298: AirMedia Privilege Escalation
        09/16/22
        More information
        Threat:
        The Lockheed Martin Red Team has discovered a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell.
        Identifier:
        This vulnerability has been classified as CVE-2022-40298.
        How is Crestron Affected:
        Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue
        Resources:
        For more information, please see CVE-2022-40298
        CVE-2022-34100: AirMedia Binary Hijack
        09/09/22
        More information
        Threat:
        The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation.
        Identifier:
        CVE-2022-34100
        How is Crestron Affected:
        Please update the AirMedia Deployable and Guest Application to version 5.5.1.87 to resolve this issue
        Resources:
        For more information, please see CVE-2022-34100
         
        CVE-2022-34101: AirMedia Rogue DLL
        09/09/22
        More information
        Threat:
        The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack.
        Identifier:
        CVE-2022-34101
        How is Crestron Affected:
        Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.
        Resources:
        For more information, please see CVE-2022-34101
        CVE-2022-34102: AirMedia Command Prompt Hijack
        09/09/22
        More information
        Threat:
        The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
        Identifier:
        CVE-2022-34102
        How is Crestron Affected:
        Please update the Air Media Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.
        Resources:
        For more information, please see CVE-2022-34102
        CVE-2022-22707: Lighttpd Denial-of-Service
        05/17/22
        More information
        Threat:
        Crestron is aware of an issue affecting lighttpd versions 1.4.46 through 1.4.63. Under certain non-default configurations, an attacker can perform a remote denial of service attack with a stack-based buffer overflow.
        Identifier:
        CVE-2022-22707
        How is Crestron Affected:
        Crestron devices are not affected because they do not utilize the vulnerable configurations.
        Resources:
        For more information, please see CVE-2022-22707
        |<  <   1 2 3 4 5 6    >  >| Pages: 1 of 6

        Subscribe to get notifications on the latest security updates