Crestron HD-MD4X2-4K-E 1.0.0.2159 Credential Disclosure

`Advisory: Credential Disclosure in Web Interface of Crestron Device  
  
  
When the administrative web interface of the Crestron HDMI switcher is  
accessed unauthenticated, user credentials are disclosed which are valid  
to authenticate to the web interface.  
  
Details  
=======  
  
Product: Crestron HD-MD4X2-4K-E  
Affected Versions: 1.0.0.2159  
Fixed Versions: -  
Vulnerability Type: Information Disclosure  
Security Risk: high  
Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E  
Vendor Status: decided not to fix  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009  
Advisory Status: published  
CVE: CVE-2022-23178  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178  
  
  
Introduction  
============  
  
"Crestron sets the gold standard for network security by leveraging the  
most advanced technologies including 802.1x authentication, AES  
encryption, Active Directory® credential management, JITC Certification,  
SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to  
provide network security at the product level."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
Upon visiting the device's web interface using a web browser, a login  
form is displayed requiring to enter username and password to  
authenticate. The analysis of sent HTTP traffic revealed that in  
addition to the loading of the website, a few more HTTP requests are  
automatically triggered. One of the associated responses contains a  
username and a password which can be used to authenticate as the  
affected user.  
  
  
Proof of Concept  
================  
  
Requesting the URL "http://crestron.example.com/" via a web browser  
results in multiple HTTP requests being sent. Among others, the  
following URL is requested:  
  
------------------------------------------------------------------------  
http://crestron.example.com/aj.html?a=devi&_=[...]  
------------------------------------------------------------------------  
  
This request results in a response similar to the following:  
  
------------------------------------------------------------------------  
HTTP/1.0 200 OK  
Cache-Control: no-cache  
Content-type: text/html  
  
{  
"login_ur": 0,  
"front_val": [  
0,  
1  
],  
"uname": "admin",  
"upassword": "password"  
}  
------------------------------------------------------------------------  
  
The values for the keys "uname" and "upassword" could be used to  
successfully authenticate to the web interface as the affected user.  
  
  
Workaround  
==========  
  
Reachability over the network can be restricted for access to the web  
interface, for example by using a firewall.  
  
  
Fix  
===  
  
No fix known.  
  
  
Security Risk  
=============  
  
As user credentials are disclosed to visitors of the web interface they  
can directly be used to authenticate to it. The access allows to modify  
the device's input and output settings as well as to upload and install  
new firmware. Due to ease of exploitation and gain of administrative  
access this vulnerability poses a high risk.  
  
  
Timeline  
========  
  
2021-10-06 Vulnerability identified  
2021-11-15 Customer approved disclosure to vendor  
2021-12-08 Vendor notified  
2021-12-15 Vendor notified again  
2021-12-21 Vendor response received: "The device in question doesn't support  
Crestron's security practices. We recommend the HD-MD-4KZ alternative."  
2021-12-22 Requested confirmation, that the vulnerability will not be addressed.  
2021-12-28 Vendor confirms that the vulnerability will not be corrected.  
2022-01-12 Advisory released  
  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`