Crestron Electronics DM-TXRX-100-STR web interface contains multiple vulnerabilities
Original Release date: 01 Aug 2016 | Last revised: 01 Aug 2016
Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management interface which contains multiple vulnerabilities, including authentication bypass, failure to restrict access to authorized users, use of hard-coded certificate, default credentials, and cross-site request forgery (CSRF). These vulnerabilities may be leveraged to gain complete control of affected devices.
Crestron Electronics DM-TXRX-100-STR is a “streaming encoder/decoder designed to enable the distribution of high-definition AV signals over an IP network.” The DM-TXRX-100-STR is configurable via a web interface that contains multiple vulnerabilities.
A remote, unauthenticated attacker may gain administrative access through numerous contexts to take complete control of vulnerable devices.
Apply an upgradeThe vendor has released firmware version 1.3039.00040 to address these vulnerabilities and has provided the following statement:
The following were fully resolved in 1.3.39.00040- CWE-603: Use of Client-Side Authentication – CVE-2016-5666- CWE-425: Direct Request (‘Forced Browsing’) – CVE-2016-5667- CWE-306: Missing Authentication for Critical Function – CVE-2016-5668 — CWE-321: Use of Hard-coded Cryptographic Key – CVE-2016-5669 -CWE-255: Credentials Management – CVE-2016-5670 – was partially addressed in 1.3.39.00040. Users now have the ability to modify the password on the device page of the web interface. Other credentials management enhancements will be implemented in a future firmware release. It is recommended to change the default password on the device page when commissioning the device.CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2016-5671 – will be addressed in a future release.
Users are encouraged to update to the latest version, but should note that the CSRF vulnerability (CVE-2016-5671) has not been patched at the time of this disclosure. All users should consider the following workaround.
Restrict network access and use strong passwordsCrestron DM-TXRX-100-STR web management interfaces should not be exposed to the public Internet. Additionally, users who have updated to version 1.3039.00040 are strongly encouraged to use strong passwords. Strong passwords may help to prevent blind guessing attacks that would establish sessions for CSRF attacks. Because of the risk of CSRF attacks on unauthenticated configuration URI or on devices with default credentials, users are advised not to browse the Internet from network locations capable of accessing DM-TXRX-100-STR web interfaces.
Vendor Information (Learn More)
25 Apr 2016
28 Jul 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Thanks to Carsten Eiram of Risk Based Security for reporting these vulnerabilities.
This document was written by Joel Land.
If you have feedback, comments, or additional information about this vulnerability, please send us email.