ID CVE-2016-5671 Type cve Reporter cve@mitre.org Modified 2016-08-16T15:42:00
Description
Multiple cross-site request forgery (CSRF) vulnerabilities on Crestron Electronics DM-TXRX-100-STR devices with firmware through 1.3039.00040 allow remote attackers to hijack the authentication of arbitrary users.
{"cert": [{"lastseen": "2020-09-18T20:41:48", "bulletinFamily": "info", "cvelist": ["CVE-2016-5666", "CVE-2016-5667", "CVE-2016-5668", "CVE-2016-5669", "CVE-2016-5670", "CVE-2016-5671"], "description": "### Overview \n\nCrestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management interface which contains multiple vulnerabilities, including authentication bypass, failure to restrict access to authorized users, use of hard-coded certificate, default credentials, and cross-site request forgery (CSRF). These vulnerabilities may be leveraged to gain complete control of affected devices.\n\n### Description \n\nCrestron Electronics [DM-TXRX-100-STR](<https://www.crestron.com/downloads/pdf/spec_sheets/commercial_and_residential/dm-txrx-100-str.pdf>) is a \"streaming encoder/decoder designed to enable the distribution of high-definition AV signals over an IP network.\" The DM-TXRX-100-STR is configurable via a web interface that contains multiple vulnerabilities.\n\n[**CWE-603**](<https://cwe.mitre.org/data/definitions/603.html>)**: Use of Client-Side Authentication -** CVE-2016-5666 \n \nThe DM-TXRX-100-STR web management interface uses client-side JavaScript to authenticate users to its `index.html` page. By intercepting server responses and ensuring that `objresp.authenabled == '1'`, an attacker can bypass authentication without knowledge of valid credentials. \n \n[**CWE-425**](<http://cwe.mitre.org/data/definitions/425.html>)**: Direct Request ('Forced Browsing') - **CVE-2016-5667 \n \nClient authentication is only checked for `index.html`. An attacker can directly access deep web interface URI without being required to authenticate. \n \n[**CWE-306**](<https://cwe.mitre.org/data/definitions/306.html>)**: Missing Authentication for Critical Function -** CVE-2016-5668 \n \nThe DM-TXRX-100-STR web management interface provides a JSON API. API methods do not require authentication and may be abused by unauthorized attackers to modify device configuration settings. \n \n[**CWE-321**](<https://cwe.mitre.org/data/definitions/321.html>)**: Use of Hard-coded Cryptographic Key - **CVE-2016-5669 \n \nA known, unsafe hard-coded X.509 certificate ([identified here](<https://www.censys.io/certificates/51ab293c9fe391eeeb1a2739de15cd8029e3033142962c6c386f2da78d03a945>)) is used for HTTPS connections. An attacker may be able to conduct impersonation, man-in-the-middle, or passive decryption attacks. \n \n[**CWE-255**](<http://cwe.mitre.org/data/definitions/255.html>)**: Credentials Management - **CVE-2016-5670 \n \nThe DM-TXRX-100-STR web management interface uses non-random default credentials, `admin:admin`. An attacker may gain privileged access to vulnerable devices' web management interfaces or leverage default credentials in remote attacks such as cross-site request forgery (CSRF). \n \n[**CWE-352**](<https://cwe.mitre.org/data/definitions/352.html>)**: Cross-Site Request Forgery (CSRF) - **CVE-2016-5671 \n \nCrestron DM-TXRX-100-STR web interface pages are vulnerable to CSRF. An attacker can perform actions with the same permissions as a victim user, provided the victim is induced to trigger the malicious request. Note that since authentication is not enforced on most URI, a session typically does not need to have been established by a victim user; however, in combination with default credentials, an attacker may establish an active session as part of an attack and therefore would not require a victim to be logged in. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may gain administrative access through numerous contexts to take complete control of vulnerable devices. \n \n--- \n \n### Solution \n\n**Apply an upgrade** \n \nThe vendor has released firmware version 1.3039.00040 to address these vulnerabilities and has provided the following statement: \n \n_The following were fully resolved in 1.3.39.00040 \n\\- CWE-603: Use of Client-Side Authentication - CVE-2016-5666 \n\\- CWE-425: Direct Request ('Forced Browsing') - CVE-2016-5667 \n\\- CWE-306: Missing Authentication for Critical Function - CVE-2016-5668 - \n\\- CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-5669 - \n \nCWE-255: Credentials Management - CVE-2016-5670 - was partially addressed in 1.3.39.00040. Users now have the ability to modify the password on the device page of the web interface. Other credentials management enhancements will be implemented in a future firmware release. It is recommended to change the default password on the device page when commissioning the device. \n \nCWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-5671 - will be addressed in a future release._ \n \nUsers are encouraged to update to the latest version, but should note that the CSRF vulnerability (CVE-2016-5671) has not been patched at the time of this disclosure. All users should consider the following workaround. \n \n--- \n \n**Restrict network access and use strong passwords** \n \nCrestron DM-TXRX-100-STR web management interfaces should not be exposed to the public Internet. Additionally, users who have updated to version 1.3039.00040 are strongly encouraged to use strong passwords. Strong passwords may help to prevent blind guessing attacks that would establish sessions for CSRF attacks. Because of the risk of CSRF attacks on unauthenticated configuration URI or on devices with default credentials, users are advised not to browse the Internet from network locations capable of accessing DM-TXRX-100-STR web interfaces. \n \n--- \n \n### Vendor Information\n\n974424\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Crestron Electronics __ Affected\n\nNotified: April 25, 2016 Updated: July 28, 2016 \n\n**Statement Date: July 26, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe following were fully resolved in 1.3.39.00040 \n\\- CWE-603: Use of Client-Side Authentication - CVE-2016-5666 \n\\- CWE-425: Direct Request ('Forced Browsing') - CVE-2016-5667 \n\\- CWE-306: Missing Authentication for Critical Function - CVE-2016-5668 - \n\\- CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-5669 - \n \nCWE-255: Credentials Management - CVE-2016-5670 - was partially addressed in 1.3.39.00040. Users now have the ability to modify the password on the device page of the web interface. Other credentials management enhancements will be implemented in a future firmware release. It is recommended to change the default password on the device page when commissioning the device. \n \nCWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-5671 - will be addressed in a future release.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 8.3 | E:F/RL:OF/RC:C \nEnvironmental | 6.2 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://www.crestron.com/downloads/pdf/spec_sheets/commercial_and_residential/dm-txrx-100-str.pdf>\n * <https://cwe.mitre.org/data/definitions/603.html>\n * <http://cwe.mitre.org/data/definitions/425.html>\n * <https://cwe.mitre.org/data/definitions/306.html>\n * <https://cwe.mitre.org/data/definitions/321.html>\n * <https://cwe.mitre.org/data/definitions/255.html>\n * <https://cwe.mitre.org/data/definitions/352.html>\n * <https://www.crestron.com/resources/resource-library/firmware>\n\n### Acknowledgements\n\nThanks to Carsten Eiram of Risk Based Security for reporting these vulnerabilities.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-5666](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5666>), [CVE-2016-5667](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5667>), [CVE-2016-5668](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5668>), [CVE-2016-5669](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5669>), [CVE-2016-5670](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5670>), [CVE-2016-5671](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5671>) \n---|--- \n**Date Public:** | 2016-08-01 \n**Date First Published:** | 2016-08-01 \n**Date Last Updated: ** | 2016-08-01 16:05 UTC \n**Document Revision: ** | 24 \n", "modified": "2016-08-01T16:05:00", "published": "2016-08-01T00:00:00", "id": "VU:974424", "href": "https://www.kb.cert.org/vuls/id/974424", "type": "cert", "title": "Crestron Electronics DM-TXRX-100-STR web interface contains multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
