Number: AV16-124
Date: Aug 4, 2016
Purpose
The purpose of this advisory is to bring attention to security updates available for DM-TXRX-100-STR web management interface by Creston Electronics.
Assessment
Creston Electronics released a security update to address 5 critical vulnerabilities in the DM-TXRX-100-STR web interface. Exploitation of these vulnerabilities can allow for authentication bypass, unauthorized access and cross-site request forgery. Vulnerable devices also contain hard-coded administrative credentials and a publicly known cryptographic key .
Affected versions:
DM-TXRX-100-STR versions prior to 1.3039.00040
CVE References: CVE-2016-5666, CVE-2016-5667, CVE-2016-5668, CVE-2016-5669, CVE-2016-5670, CVE-2016-5671
One vulnerability (CVE-2016-5671) remains unpatched, with a firmware update forthcoming from the manufacturer.
Suggested action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly. For the vulnerability without a released update, system administrators should monitor for its release then their organization's patch management process should be actioned accordingly. Any default device passwords should be reset, then changed regularly using a strong password policy.
References
Vendor Download:
https://www.crestron.com/resources/resource-library/firmware
Advisories:
http://www.kb.cert.org/vuls/id/974424
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5666
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5667
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5668
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5669
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5670
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5671