Products

    Pages

        Security Advisories

        Filter by Tags

        Vulnerability
        Updated Date
        Threat
        Identifier
        How is Crestron Affected
        Resources
        AM-100 and AM-100 Vulnerabilities
        10/03/19
        More information
        Threat:

        AIRMEDIA AM-100 and AM-101 Vulnerabilities

        We are making the AM-100/101 firmware available today publicly. Anyone requiring assistance should reach out to True Blue Support.

        The latest AM-100/101 firmware release include fixes for the following vulnerabilities: CVE-2019-3929, CVE-2019-3930, CVE-2019-3925 CVE-2019-3926, CVE-2019-3931, CVE-2019-3932, CVE-2019-3939, CVE-2019-3927, CVE-2019-3928, CVE-2019-3933, CVE-2019-3934, CVE-2019-3935, CVE-2019-3936, CVE-2019-3937, and CVE-2019-3938. See link below under Resources.

        Please note the following vulnerabilities only affect the Airmedia AM-100 and AM-101 devices. All other second generation AirMedia devices are not affected.

        Identifier:
        There are multiple CVEs associated with this report
        How is Crestron Affected:

        CVE-2019-3925: Unauthenticated Remote OS Command Injection via SNMP #1
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.9.3. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3926: Unauthenticated Remote Command Injection via SNMP #2
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to command injection via SNMP OID iso.3.6.1.4.1.3212.100.3.2.14.1. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3927: Unauthenticated Remote Admin Password Change via SNMP
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 anyone can change the administrator and moderator passwords via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. A remote, unauthenticated attacker can use this vulnerability to change the admin or moderator user's password and gain access to restricted areas on the HTTP interface. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3928: Unauthenticated Remote Information Leak via SNMP
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulnerability to access a restricted presentation or to become the presenter. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27. A warning will now appear if SNMP v1 or v2 is used. Crestron recommends using SNMP v3 to avoid this issue.

        CVE-2019-3929: Unauthenticated Remote OS Command Injection via file_transfer.cgi
        Crestron is aware of a vulnerability that AM-100 with firmware 1.6.0.2 and Crestron AM-101 with firmware 2.7.0.1, are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3930: Unauthenticated Remote Stack Buffer Overflow via file_transfer.cgi
        Crestron is aware of a vulnerability that AM-100 with firmware 1.6.0.2 and Crestron AM-101 with firmware 2.7.0.1, are vulnerable to a stack buffer overflow in libAwgCgi.so's PARSERtoCHAR function. A remote, unauthenticated attacker can use this vulnerability to execute arbitrary code as root via a crafted request to the return.cgi endpoint. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3931: Remote View Pass Code Bypass and Information Leak
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumentation injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attacker can use this vulnerability to upload files to the device and ultimately execute code as root. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3932: Authentication Bypass in return.tgi
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to authentication bypass due to a hard-coded password in return.tgi. A remote, unauthenticated attacker can use this vulnerability to control external devices via the uart_bridge. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3933: Authentication bypass to view "remote view" via HTTP browserslide.jpg
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27

        CVE-2019-3934: Remove View Pass Code Bypass #2
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27

        CVE-2019-3935: Unauthenticated Remote Moderator Controls via HTTP
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to act as a moderator to a slide show via crafted HTTP POST requests to conference.cgi. A remote, unauthenticated attacker can use this vulnerability to start, stop, and disconnect active slideshows. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3936: Unauthenticated Remote View Control via port 389
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3937: Credentials Stored in Plaintext
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, slideshow passcode, and other configuration options in cleartext in the file /tmp/scfgdndf. A local attacker can use this vulnerability to recover sensitive data. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        CVE-2019-3938: Exported Configuration Files Contain Credentials
        Crestron is aware of a vulnerability that the AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords. This vulnerability has been resolved with the current firmware release AM-100/101 v.1.7.1.7_2.8.0.27.

        Super Micro BMC Vulnerabilities Discovered
        09/18/19
        More information
        Threat:
        A vulnerability was disclosed affecting Super Micro’s BMC. Researchers have identified vulnerabilities in the Virtual Media function of Supermicro BMCs. BMC/IPMI Virtual Media is a feature of the Virtual Console that enables users to attach a CD/DVD image to the server as a virtual CD/DVD drive. These vulnerabilities include plaintext authentication, weak encryption, and authentication bypass within the Virtual Media capabilities. Identified by researchers in the lab, the vulnerabilities have not been reported in a customer environment.
         
        Identifier:
        N/A
        How is Crestron Affected:
        This BMC is used in the DM-NVX Director products - DM-XIO-DIR-80, DM-XIO-DIR-160 and DM-XIO-DIR-ENT. By default, the BMC is only available from the management port. 

        Best practices are that the management port is only used for local connection and not connected to a wider LAN. In this configuration, there is little to no risk with regards to the report vulnerabilities.

        Customers can update as per the below procedure to further eliminate the concerns.
         
        DM NVX 2.0 and Earlier Supports SNMP v1/2
        08/14/19
        More information
        Threat:
        Unauthorized users can read all SNMP information because the access password is not secure in SNMPv1 or SNMPv2.
        SNMPv1 and SNMPv2 have been designated as obsolete.

        Versions of DM NVX prior to the released 2.1 supported these earlier versions.

         
        Identifier:
        N/A
        How is Crestron Affected:
        Versions of DM NVX 2.0 and earlier supported these now obsolete versions of SNMP. While used in the industry for years, a number of security vendors now flag it with increasing severity. As a result, it has been removed from the 2.1 feature set. SNMP v3 will be a part of the DM NVX 2.2 release.

        There is no reliable method to disable SNMP on the DM NVX device itself.

        The easiest method to eliminate the potential risk is to update to DM NVX 2.1 or higher. 

        If you decide not to update: 
        • All exposed parameters on the DM NVX are Read Only, so an attacker is limited
        • The risk can be eliminated by blocking UDP traffic on ports 161 and 162
        Resources:
        CVE-2019-13450: ZOOM CLIENT
        07/16/19
        More information
        Threat:
        Crestron is aware of a vulnerability within the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on MacOS. Remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424.

        NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
        Identifier:
        This vulnerability has been assigned CVE identifier CVE-2019-13450
        How is Crestron Affected:
        Crestron and Zoom have reviewed the vulnerability report and has confirmed that it does not affect any Crestron products.
        CVE-2019-9006: CP3N/PRO3/AV3
        06/07/19
        More information
        Threat:
        Crestron is aware of a vulnerability with the CP3N, Pro3, and AV3 devices which allows attackers to change firewalls rules, scan the internal network, download and run scripts through the remote root shell on the router via telnet access.
        Identifier:
        This vulnerability has been assigned CVE identifier CVE-2019-9006
        How is Crestron Affected:
        This vulnerability has been resolved in the current firmware upgrade. Crestron recommends upgrading devices with current firmware available on the product page.

        Minimum firmware versions to address this vulnerability: v.1.600.0092
        Authentication Bypass in AM-100/AM-101
        05/10/19
        More information
        Threat:
        Crestron is aware of a vulnerability in the AM-100 and AM-101 units that can allow a user to bypass authentication. All users are urged to update firmware to the versions noted.

        The latest AM-100/101 firmware release includes CVE-2019-3910 fix. See link below under Resources.

        Please note the following vulnerabilities only affect the Airmedia AM-100 and AM-101 devices. All other second generation AirMedia devices are not affected.
        Identifier:
        N/A
        How is Crestron Affected:

        CVE-2019-3910: Authentication Bypass - This vulnerability has been resolved in the current firmware and can be downloaded on the product page. Minimum firmware version to address this vulnerability: 2.7.0 (AM-101) and 1.6.0 (AM-100). Affected Devices:

        • AM-101
        • AM-100
        CVE-2018-10933: libssh Server Allows Unauthorized Access
        10/24/18
        More information
        Threat:
        Crestron is aware of a vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
        Identifier:
        This vulnerability has been assigned CVE identifier CVE-2018-10933.
        How is Crestron Affected:
        While Crestron does use libssh in some products, it is not used for authentication in any circumstance. Therefore, no Crestron products are affected by this vulnerability.
        Resources:
        Nessus detects multiple vulnerabilities on port 7000
        09/24/18
        More information
        Threat:
        Nessus scanner detects AirMedia as an AppleTV and reports subsequent vulnerabilities.
        Identifier:
        There are multiple CVEs associated with this. Please see the related document.
        How is Crestron Affected:
        This is a false positive triggered by AirPlay compatibility. Refer to Airmedia - Nessus Vulnerability Scanner False Positive Mitigation Guideline - Airplay for details.
        CVE-2018-10630: IMPROPER ACCESS CONTROL
        08/09/18
        More information
        Threat:
        Authentication is not enabled by default on affected devices. With the minimum firmare version listed below, Crestron’s CTP Console and Telnet access are now disabled by default. Only SSH is available for configuration. If the device does not have authentication enabled, an SSH Banner will display a warning which recommends securing the device.
        Identifier:
        This vulnerability has been assigned CVE identifier CVE-2018-10630 .
        How is Crestron Affected:
        Minimum firmware version to address this vulnerability: v1.502.0047.001. Affected Device: MC3.
        CVE-2018-11228: UNAUTHENTICATED REMOTE CODE EXECUTION VIA BASH SHELL SERVICE IN CTP
        08/09/18
        More information
        Threat:
        Crestron is aware of a vulnerability with specific touch panels which allows for unauthenticated remote code execution via bash. If authentication is enabled, the probability of exploit is lower as authentication is required.
        Identifier:
        This vulnerability has been assigned CVE identifier CVE-2018-11228.
        How is Crestron Affected:

        This vulnerability has been resolved in the current firmware and can be downloaded on the product page.

        Minimum firmware versions to address this vulnerability:

        • TSW-X60 Series use FW 2.0001.0037.001 or late
        • TSW-X52 Series use FW 1.004.0007 or later

        Affected Devices:

        • TSW-1060
        • TSW-760
        • TSW-560
        • TSW-1060-NC
        • TSW-760-NC
        • TSW-560-NC
        • TSW-552
        • TSW-752
        • TSW-1052
        • TSR-302
        • TST-602
        • TST-902
        • TSW-732
        • TSS-752
        • DMC-STR

        Additional products are being tested.

        Resources:
        |<  <   1 2 3    >  >| Pages: 1 of 3

        Subscribe to get notifications on the latest security updates