1. Crestron's Cloud Services which include Fusion Cloud, the Crestron Cloud Provisioning Tool and MyCrestron have been patched by Microsoft as of 1/4/2018. For more details on the patch, see: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
2. On Premise Servers running Crestron Fusion should be patched according to Microsoft recommendations. Crestron Fusion itself does not require an update.
3. 3 Series Processors are not known to be affected by Meltdown.
4. 2 Series processors are not affected by Meltdown as they do not use ARM, Intel or AMD based components.
5. These devices (Mercury, DGE-100, DGE-200, TS-1542, DMPS-4K-250, DMPS-4K-350 and DM-TXRX-100-STR) have the potential to be affected by a variant of Meltdown. However, as stated by ARM, it is not believed that software mitigations for this issue are necessary. Please download the ARM’s Cache Speculation Side-channels whitepaper for more details.
6. All TSW Series, TST Series, TSR Series, TPMC-4 Series and TPMC-9 Series are not affected by Meltdown.
7. No DigitalMedia products are known to be affected by Meltdown.
8. No Audio Products are known to be affected by Meltdown.
9. AirMedia (AM-100/101) is not known to be vulnerable by Meltdown.
10. All Lighting and Shade specific products are not affected by Meltdown.
11. Affected Conferencing Products include CCS-UC-CODEC-100, CCS-UC-CODEC-200, Crestron SR, and Mercury. Because of additional security implementations on these devices we believe this to be a low risk issue. Crestron is working with Microsoft to provide patches on these devices.

Products not listed here are pending additional review or discontinued. Crestron will be providing additional information and patches as they become available.

1. Crestron's Cloud Services which include Fusion Cloud, the Crestron Cloud Provisioning Tool and MyCrestron are currently affected as no patches have been published by Microsoft to specifically mitigate the Spectre Vulnerability. For more details, see: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
2. On Premise Servers running Crestron Fusion should be patched according to Microsoft recommendations. Crestron Fusion itself does not require an update.
3. Affected Control Systems include the PRO3, AV3, CP3, CP3N, RMC3, FT-TSC600, PYNG-HUB, TSCW-730, ZUM-FLOOR-HUB DIN-AP3MEX and DIN-AP3. This vulnerability is considered low risk for processors as it’s a second level vulnerability (requires system access which is traditionally not available). It is recommended that you follow Crestron’s Secure Deployment Guidelines to reduce exposure (OLH 5571). The MC3 and TPCS are not affected by Spectre.
4. 2 Series processors are not known to be affected by Spectre as they do not use ARM, Intel or AMD based components.

5. Affected Interfaces include the TSW-1060, TSW-760, TSW-560, TSW-1052, TSW-752, TSW-552, TSS-752, TSW-732, TSW-1050, TSW-750, TSW-730, TSW-550, TSR-302, TSR-310, TST-902, TST-602, DGE-100, DGE-200, TS-1542, and FT-TS600. This vulnerability is considered low risk for interfaces as it’s a second level vulnerability (requires system access which is traditionally not available). It is recommended that you follow Crestron’s Secure Deployment Guidelines to reduce exposure. Additionally to minimize exposure, it would be recommended to avoid implementing the Chrome browser in touchpanel projects.

6. TPMC-4 Series and TPMC-9 Series are not affected by Spectre.

7. Affected DigitalMedia products include NVX, DMPS3 Series, DM-STR, DM-MD64x64, DM-MD128x128 and DM-TXRX-100-STR. This vulnerability is considered low risk for DigitalMedia as it’s a second level vulnerability (requires system access which is traditionally not available). It is recommended that you follow Crestron’s Secure Deployment Guidelines to reduce exposure.

8. Audio Products affected by Spectre include the DSP-1280, DSP-1281, DSP-1282, DSP-1283, DSP-860, AMP-8075 and AMP-8150. This vulnerability is considered low risk for Audio Products as it’s a second level vulnerability (requires system access which is traditionally not available). It is recommended that you follow Crestron’s Secure Deployment Guidelines to reduce exposure.

9. AirMedia (AM-100/101) is not known to be vulnerable by Spectre.

10. All Lighting and Shade specific products are not affected by Spectre.

11. Affected Conferencing Products include CCS-UC-CODEC-100, CCS-UC-CODEC-200, Crestron SR, and Mercury. Because of additional security implementations on these devices we believe this to be a low risk issue. Crestron is working with Microsoft to provide patches on these devices.

Products not listed here are pending additional review or discontinued. Crestron will be providing additional information and patches as they become available.

Crestron is aware of a flaw in the authentication model of the following products:

TSW-560, TSW-560P, TSW-760, TSW-1060, TSW-560-NC, TSW-760-NC, TSW-1060-NC running the following versions 1.002.0016.001, 1.002.0028.001, 1.003.0052.001.

A hacker can gain access to the device configuration pages using invalid credentials. It should be noted that the vulnerability only allows access to the configuration of the device and thus possibly render the device inoperable or inaccessible.

Crestron has posted an updated version of the firmware to address this problem:

• If you are running version 1.002.0016 or 1.002.0028, please update to version 1.002.0029.
• If you are running version 1.003.0052, please update to version 1.003.0054.

If you previously disabled the webserver to mitigate this issue you may re-enable it using the command WEBSERVER ON, followed by a REBOOT.

The only Crestron device that currently exposes a Bluetooth interface is the Crestron Mercury Tabletop Conference System.

Mercury uses a BlueTooth module which incorporates a proprietary operating system (not Android, iOS, Windows or Linux) and therefore is not susceptible to the BlueBorne attack. Furthermore, all Bluetooth profiles are kept inactive during normal operation of the device, requiring explicit user intervention to enable paring and/or discovery to the device. As such, Mercury is not vulnerable to the BlueBorne attack vector.

Platforms not affected

Products running Windows CE 6 and Windows Embedded Compact 7 are not affected by the WannaCry malware package.

PRO3, CP3, CP3N, AV3, DMPS 3-Series (all models), DM-64X64, DM-128X128, RMC3, DIN-AP3, TSW-550, TSW-750, TSW-1050, TSM-730

• Only code signed with Crestron certificates can execute on these devices.
• These devices cannot execute x86 native code and so are not vulnerable to the WannaCry malware.
• The SMB file server is not enabled and so they are not vulnerable to the original ETERNALBLUE exploit.
• NOTE: It is not clear that the vulnerability exists in the Embedded Compact SMB implementation in the first place but as noted it is disabled anyway.

TPMC-4SM, TPMC-9, TST-600

• Only code signed with Crestron certificates can execute on these devices.
• These devices cannot execute x86 native code and so are not vulnerable to the WannaCry malware.
• The SMB ports are open but there is no notice of this implementation being vulnerable to the original ETERNALBLUE exploit.

MC3, TPCS-4SM

• Only code signed with Crestron certificates can execute on these devices.
• These devices cannot execute x86 native code and so are not vulnerable to the WannaCry malware.

Platforms potentially affected

Crestron also has devices using XP Embedded and Windows Embedded Standard 7.

DGE-2, DGE-1, TPMC-V12, TPMC-V15

• These products have the SMB ports closed by default and so are not vulnerable under normal installation.
• In the event the device does become infected; a reboot will clean it up.
• Please install the following update service pack which includes Microsoft KB4012598
  • DGE-1 Use dge-1-osp_1.1.10.zip or higher
  • DGE-2 Use dge-2_1.01.10.puf or higher
  • TPMC-V12/15 Use tpmc-v12_tpmc-v15_1.01.008.puf or higher

TPMC-8X-GA

TPMC-8X-GA Use tpmc-8x-ga-osp_1.1.10.zip or higher.

• NOTE: This product has SMB ports open by default and should be considered at risk.
• In the event the devices does become infected, a reboot will clean it up.
• Please install the following updated service pack which includes Microsoft KB4012598.

TPMC-8X, TPMC-8L

• NOTE: This product has SMB ports open by default and should be considered at risk.
• In the event the devices does become infected, a reboot will clean it up.
• Please install the following updated service pack which forces the SMB ports closed regardless of any other settings.
  • Upgrade firmware to version 2.00.02.219 or above. 2.00.02.221 is the latest release at this writing.
  • Install new service pack tpmc-8x-tpmc-8l-firewall_1.0.0.zip.
  • Ensure firewall is enabled using the console command: FIREWALL

ADMS, ADMS-BR, ADMS-G2

These products have the SMB ports closed by default and so are not vulnerable under default installation. If file sharing options are enabled the device should be considered at risk.

Crestron RL (Version 1 and 2)

• Crestron RL products disallow arbitrary applications to be executed and so are not vulnerable.
• These products have the SMB ports closed by default and so are not vulnerable under normal installation.
• Notwithstanding these protections, Microsoft has provided a security update for Crestron RL products – https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Skype-for-Business-15-15-9-Security-Update-for-Crestron-RL/ba-p/70432
• This has been posted in CCS-UC-200 ver. 15.15.09 and CCS-UC-100 ver. 15.15.09

CEN-FUSION-SERVER-R330, CEN-FUSION-RVS-R310, CEN-FUSION-R320, CEN-RVS-R210, CEN-RVS-R320

Please follow Microsoft guidance for Windows Server Products: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

NOTE: No other current Crestron products have been found to be affected by the WannaCry malware.

1. The most likely exploitation is via web browsers and servers, which is not a high use case on Crestron equipment. In addition, the exploitation is most commonly implemented as a Man-in-the-Middle attack which is also less likely given the way most Crestron systems are put together.
2. Crestron has deprecated support for SSL 3.0 and relies only on TLS which does not have this vulnerability. The console command "SSL" supports the following options: TLSSSL, TLSONLY, TLS1.2ONLY.
3. Crestron does implement the protocol extension, TLS_FALLBACK_SCSV, which prevents MITM attackers from being able to force a protocol downgrade.
4. Crestron's implementation of TLS 1.0 and TLS 1.1 was proven not to expose this vulnerability using the Qualys SSL Labs SSL Server test.

All shipping products were reviewed and the following notes are applicable:

1. The Smart Graphics installation package contains an affected version of the Adobe Flash Player for Internet Explorer. This will be updated in the next release. In the meanwhile, users may update their own systems via the normal means. This only affects developer’s own systems and no Crestron products.
2. The following products support an embedded browser control which supports Flash: DGE-1, DGE-2, TPMC-8X, TPMC-8X-GA, TPMC-V12, TPMC-V15. However, the version of Flash installed on these products is not a version affected. In addition, if the user project on the system does not support browsing to arbitrary sites, the systems are not affected. Note that this does not affect Smart Graphics projects.

CVE-2015-0235 is a vulnerability that really doesn’t apply to Crestron’s products, as it requires a custom written program to run on the device to exploit this vulnerabilities; none of our devices really have this capability.

However, we have looked through our products, and where applicable, have patched the libraries affected:

The PRO3/AV3/CP3N’s router firmware has been patched, and will be available by next month.

The ATC-AUDIONET is the only other product with libraries that have this vulnerability; at the moment, a firmware upgrade is not scheduled to resolve this, mostly due to the fact that the unit is unable to run custom code.

Crestron has carefully examined the versions of OpenSSL used in its product line. With the exception of the following three, none of Crestron's devices, software, web sites or tools have been determined to have this vulnerability.

Crestron has incorporated a fix into firmware v1.1.1 which was released on March 10, 2015.

1. Crestron App for iOS (Current Released Version)
   • Crestron has incorporated a fix into v1.02.42 which was released on May 28, 2014.
   • It should be noted that this application will only use SSL in connection to a Crestron Control System. To take advantage of this vulnerability in versions prior to v1.02.42, an attacker would need to coerce an end user to change application connection settings to connect to another non-control system device which was specifically coded to retrieve this data.
2. Crestron Mobile and Crestron Mobile Pro for Android (running on Android 4.1.1 ONLY)
   • Crestron uses the built-in Android services. Customers with devices running Android 4.1.1 are urged to check with their carrier or device manufacturer for updates.
   • It should be noted that this application will only use SSL in connection to a Crestron Control System. To take advantage of this vulnerability in versions prior to v1.02.42, an attacker would need to coerce an end user to change application connection settings to connect to another non-control system device which was specifically coded to retrieve this data.
3. Crestron AM-100 AirMedia™ Presentation Gateway