Security Advisories
Vulnerability:
AM-100 and AM-100 Vulnerabilities
Threat:
AIRMEDIA AM-100 and AM-101 Vulnerabilities
We are making the AM-100/101 firmware available today publicly. Anyone requiring assistance should reach out to True Blue Support.
The latest AM-100/101 firmware release include fixes for the following vulnerabilities: CVE-2019-3929, CVE-2019-3930, CVE-2019-3925 CVE-2019-3926, CVE-2019-3931, CVE-2019-3932, CVE-2019-3939, CVE-2019-3927, CVE-2019-3928, CVE-2019-3933, CVE-2019-3934, CVE-2019-3935, CVE-2019-3936, CVE-2019-3937, and CVE-2019-3938. See link below under Resources.
Please note the following vulnerabilities only affect the Airmedia AM-100 and AM-101 devices. All other second generation AirMedia devices are not affected.
Identifier:
There are multiple CVEs associated with this report
How is Crestron Affected:
CVE-2019-3925: Unauthenticated Remote OS Command Injection via SNMP #1
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.9.3. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3926: Unauthenticated Remote Command Injection via SNMP #2
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.14.1. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3927: Unauthenticated Remote Admin Password Change via SNMP
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 anyone can change the administrator and moderator passwords via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. A remote, unauthenticated attacker can use this vulnerability to change the admin or moderator user's password and gain access to restricted areas on the HTTP interface. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3928: Unauthenticated Remote Information Leak via SNMP
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulnerability to access a restricted presentation or to become the presenter. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27. A warning will now appear if SNMP v1 or v2 is used. Crestron recommends using SNMP v3 to avoid this issue.
CVE-2019-3929: Unauthenticated Remote OS Command Injection via file_transfer.cgi
Crestron is aware of a vulnerability that AM-100 with firmware 1.6.0.2 and Crestron AM-101 with firmware 2.7.0.1, are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3930: Unauthenticated Remote Stack Buffer Overflow via file_transfer.cgi
Crestron is aware of a vulnerability that AM-100 with firmware 1.6.0.2 and Crestron AM-101 with firmware 2.7.0.1, are vulnerable to a stack buffer overflow in libAwgCgi.so's PARSERtoCHAR function. A remote, unauthenticated attacker can use this vulnerability to execute arbitrary code as root via a crafted request to the return.cgi endpoint. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3931: Remote View Pass Code Bypass and Information Leak
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumentation injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attacker can use this vulnerability to upload files to the device and ultimately execute code as root. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3932: Authentication Bypass in return.tgi
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to authentication bypass due to a hard-coded password in return.tgi. A remote, unauthenticated attacker can use this vulnerability to control external devices via the uart_bridge. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3933: Authentication bypass to view "remote view" via HTTP browserslide.jpg
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3934: Remove View Pass Code Bypass #2
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3935: Unauthenticated Remote Moderator Controls via HTTP
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to act as a moderator to a slide show via crafted HTTP POST requests to conference.cgi. A remote, unauthenticated attacker can use this vulnerability to start, stop, and disconnect active slideshows. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3936: Unauthenticated Remote View Control via port 389
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3937: Credentials Stored in Plaintext
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, slideshow passcode, and other configuration options in cleartext in the file /tmp/scfgdndf. A local attacker can use this vulnerability to recover sensitive data. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.
CVE-2019-3938: Exported Configuration Files Contain Credentials
Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords. This vulnerability has been resolved with the firmware release AM-100/101 v.1.7.1.7_2.8.0.27.