Crestron Patches Command Injection Flaw in DGE-100 Controller
Crestron recently addressed a command injection vulnerability in the console service preinstalled on the Digital Graphics Engine 100 (DGE-100) and other hardware controllers made by the company.
Tracked as CVE-2018-5553, the vulnerability has a base CVSSv3 score of 9.8 and is considered Critical severity. Discovered by Rapid7, the security bug is the result of lack of input sanitization and allows an attacker able to connect to the device over TCP port 41795 to gain root-level access.
The DGE-100 controller allows users to connect a touchscreen interface to external sources over HDMI, USB, or Ethernet. The device, which is usually paired with the Crestron TSD-2220 HD touchscreen display, is typically deployed in corporate meeting spaces or control rooms and is distributed globally.
The Crestron console service on DGE-100 is listening on TCP port 41795 and requires “a proprietary management tool” to use. The hardware controller, however, does not require credentials for administrative access to the console service by default.
“By connecting to this service with netcat and using the `ping` command with an argument constructed of shell-expandable variables, it is possible to inject operating system commands that will be executed by this console, which itself runs as root,” Rapid7 explains in a report.
The vulnerability occurs only if the default configuration is left in place, which means that credentials are not required for administrative access. Thus, anyone able to connect to the device’s TCP port 41795 can elevate to a root shell on the device, the security firm explains.
By exploiting the issue, an attacker could co-opt the device for a persistent “beachhead” into the affected network. The attacker would have unfettered access to the device’s core functionality, thus being able to intercept and modify any data, including what’s served over the Ethernet, HDMI, or USB ports.
The issue was discovered in March 2018 and reported to the vendor in early April. All DGE-100 devices running firmware version 1.3384.00049.001 and lower with default configuration are vulnerable. Crestron noted in an advisory published last week that TS-1542-C and DM-DGE-200-C devices are also impacted.
A patch was released on June 4 and owners of affected devices are advised to apply it as soon as possible. The update (firmware 1.3384.00059.001 or higher address the bug) is available on Crestron’s website.
“Crestron took immediate action upon receiving the information and has created updates to remediate this concern. Crestron has no evidence of any customers being impacted by this issue. If customers have configured their systems based on our published security best practices, then the risk is low as an authenticated user would be required to exploit this vulnerability,” the vendor said.