CVE-2022-2068: C_Rehash Command Injection
01/23/23
More information
Threat:
Crestron is aware of an issue in which the c_rehash script does not properly sanitize the shell metacharacters to prevent a command injection. The script can be automatically executed on some operating systems allowing an attacker to arbitrarily execute commands with elevated privileges. This vulnerability is a continuation of
CVE-2022-1292, which has already been fixed.
Identifier:
This vulnerability has been identified as CVE-2022-2068
How is Crestron Affected:
The UC-Engine product line is not affected by this issue since the script mentioned above isn’t used. Crestron recommends updating to version 1.00.22.786 to fix any other present OpenSSL vulnerabilities.
CVE-2022-2097: OpenSSL AES OCB Vulnerability
01/23/23
More information
Threat:
Crestron is aware of an issue with OpenSSL in which AES OCB mode for 32-bit x86 platforms would not encrypt all the data under certain circumstances. This would allow an attacker to see 16 bytes of preexisting memory in plaintext.
Identifier:
This vulnerability has been classified as CVE-2022-2097.
How is Crestron Affected:
This vulnerability affects the UC-Engine product line on version 1.00.22.766. Version 1.00.22.786, which fixes this issue, has been released.
Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 is available via XiO Cloud and Crestron Support and will be available as a Windows Update in the near future.
CVE-2022-3358: Incorrect Cipher Vulnerability
01/23/23
More information
Threat:
Crestron is aware of an issue with OpenSSL in which using a custom cipher with a specific legacy function will cause OpenSSL to incorrectly call the function. It will instead call a different cipher from available providers. This can result in disclosure of sensitive information.
Identifier:
This vulnerability has been classified as CVE-2022-3358.
How is Crestron Affected:
The UC-Engine product line is not affected by this issue since it doesn’t use the legacy function associated with this vulnerability. Crestron recommends updating to version 1.00.22.786 to resolve any other present OpenSSL vulnerabilities.
CVE-2022-3602: X.509 Certificate Buffer Overflow (OpenSSL)
11/18/22
More information
Threat:
OpenSSL has discovered a vulnerability where an attacker can use a malicious email address to send a specifically constructed certificate to an application. The application receiving the certificate will overwrite memory and crash. This can lead to a denial of service, or allow the attacker to gain remote control over the affected system.
Identifier:
This vulnerability has been classified as CVE-2022-3602 and CVE-2022-3786
How is Crestron Affected:
This vulnerability affects the UC-Engine product line on version 1.00.22.766. Crestron is planning a release, version 1.00.22.786, to fix this issue.
Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 will be available via XiO Cloud and Crestron Support on Monday, December 12th and will be available as a Windows Update later on.
CVE-2022-40298: AirMedia Privilege Escalation
09/16/22
More information
Threat:
The Lockheed Martin Red Team has discovered a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell.
Identifier:
This vulnerability has been classified as CVE-2022-40298.
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue
CVE-2022-34100: AirMedia Binary Hijack
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation.
Identifier:
CVE-2022-34100
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Application to version 5.5.1.87 to resolve this issue
CVE-2022-34101: AirMedia Rogue DLL
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack.
Identifier:
CVE-2022-34101
How is Crestron Affected:
Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.
CVE-2022-34102: AirMedia Command Prompt Hijack
09/09/22
More information
Threat:
The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
Identifier:
CVE-2022-34102
How is Crestron Affected:
Please update the Air Media Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.
CVE-2022-22707: Lighttpd Denial-of-Service
05/17/22
More information
Threat:
Crestron is aware of an issue affecting lighttpd versions 1.4.46 through 1.4.63. Under certain non-default configurations, an attacker can perform a remote denial of service attack with a stack-based buffer overflow.
Identifier:
CVE-2022-22707
How is Crestron Affected:
Crestron devices are not affected because they do not utilize the vulnerable configurations.
CVE-2022-22965: Spring4Shell
03/31/22
More information
Threat:
This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
How is Crestron Affected:
Crestron products do not make use of this framework and as such are not vulnerable.
Resources:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
|<
<
1 2 3 4 5 6
>
>|
Pages: 1 of 6