Products

    Pages

        Security Advisories

        Filter by Tags

        Vulnerability
        Updated Date
        Threat
        Identifier
        How is Crestron Affected
        Resources
        GHOST
        02/05/15
        More information
        Threat:
        As per CVE-2015-0235: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
        Identifier:
        N/A
        How is Crestron Affected:

        CVE-2015-0235 is a vulnerability that really doesn’t apply to Crestron’s products, as it requires a custom written program to run on the device to exploit this vulnerabilities; none of our devices really have this capability.

        However, we have looked through our products, and where applicable, have patched the libraries affected:

        The PRO3/AV3/CP3N’s router firmware has been patched, and will be available by next month.

        The ATC-AUDIONET is the only other product with libraries that have this vulnerability; at the moment, a firmware upgrade is not scheduled to resolve this, mostly due to the fact that the unit is unable to run custom code.

        HEARTBLEED
        12/29/14
        More information
        Threat:

        There is a severe vulnerability in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This is a serious vulnerability which has been assigned the CVE identifier CVE-2014-0160.

        Exploitation may lead to disclosure of memory contents from the server to the client and from the client to the server. An attacker can remotely retrieve sensitive data from memory, including, but not limited to secret keys used for SSL encryption and authentication tokens.

        Identifier:
        N/A
        How is Crestron Affected:

        Crestron has carefully examined the versions of OpenSSL used in its product line. With the exception of the following three, none of Crestron's devices, software, web sites or tools have been determined to have this vulnerability.

        Crestron has incorporated a fix into firmware v1.1.1 which was released on March 10, 2015.

        1. Crestron App for iOS (Current Released Version)
          • Crestron has incorporated a fix into v1.02.42 which was released on May 28, 2014.
          • It should be noted that this application will only use SSL in connection to a Crestron Control System. To take advantage of this vulnerability in versions prior to v1.02.42, an attacker would need to coerce an end user to change application connection settings to connect to another non-control system device which was specifically coded to retrieve this data.
        2. Crestron Mobile and Crestron Mobile Pro for Android (running on Android 4.1.1 ONLY)
          • Crestron uses the built-in Android services. Customers with devices running Android 4.1.1 are urged to check with their carrier or device manufacturer for updates.
          • It should be noted that this application will only use SSL in connection to a Crestron Control System. To take advantage of this vulnerability in versions prior to v1.02.42, an attacker would need to coerce an end user to change application connection settings to connect to another non-control system device which was specifically coded to retrieve this data.
        3. Crestron AM-100 AirMedia™ Presentation Gateway
        SCHANNEL
        11/20/14
        More information
        Threat:

        Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."

        As per CVE-2014-6332, OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability" or WinShock.

        Identifier:
        N/A
        How is Crestron Affected:

        All shipping products were reviewed and the following notes are applicable:

        1. While Crestron 3-Series processors do use Windows Embedded operating systems, the kernel itself is different and it is not immediately clear if the same deficiency is present. We are working with Microsoft to make this determination. The Web Server in these processors does use SChannel for authentication if SSL is enabled. However, in most installations SSL is not enabled. This is further mitigated by the point that there is no scripting support provided on the 3-series web server and so exploitation would be more difficult.
        2. Crestron is working with Microsoft regarding and update to Crestron RL. However, as this is an embedded system with code protection enabled it is not clear the vulnerability is exploitable.
        3. Crestron is working with Microsoft regarding an update to the TPMC-V12, TPMC-V15, DGE-1. However, as this is an embedded system with code protection enabled, it is not clear the vulnerability is exploitable.
        4. Customers running Fusion are urged to make sure to apply Windows updates.
        |<  <   1 2 3 4 5 6    >  >| Pages: 6 of 6

        Subscribe to get notifications on the latest security updates