Crestron has new firmware to mitigate multiple vulnerabilities in its TSW-X60 and MC3 products, according to a report with NCCIC.
The remotely exploitable vulnerabilities include OS command injections, improper access control and insufficiently protected credentials.
Successful exploitation of these vulnerabilities may allow remote code execution with escalated system privileges.
Jackson Thuraisamy, working with Security Compass, reported some of these vulnerabilities to Crestron. In addition, Ricky “HeadlessZeke” Lawshae, working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to NCCIC.
The following products and versions suffer from the issues:
• TSW-X60, all versions prior to 2.001.0037.001
• MC3, all versions prior to 1.502.0047.001
In the OS command injection vulnerability, it may allow unauthenticated remote code execution via a Bash shell service in Crestron Toolbox Protocol (CTP). This vulnerability only affects TSW-X60 devices.
CVE-2018-11228 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, the vulnerability may allow unauthenticated remote code execution via command injection in Crestron Toolbox Protocol (CTP). This vulnerability only affects TSW-X60 devices.
CVE-2018-11229 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Also, the devices are shipped with authentication disabled, and there is no indication to users they need to take steps to enable it. When compromised, the access to the CTP console is left open.
CVE-2018-10630 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, the passwords for special sudo accounts may be calculated using information accessible to those with regular user privileges. Attackers could decipher these passwords, which may allow them to execute hidden API calls and escape the CTP console sandbox environment with elevated privileges.
CVE-2018-13341 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
The products see use mainly in the government facilities and commercial facilities sectors. They also see action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Crestron also recommends users refer to Crestron’s Online Help for more information about these and other vulnerabilities (Article #5471). Information for hardening devices is available in Article #5571.