Creston Electronics security updates

Number: AV16-124
Date: Aug 4, 2016

Purpose

The purpose of this advisory is to bring attention to security updates available for DM-TXRX-100-STR web management interface InterfaceA boundary across which two systems communicate. An interface might be a hardware connector used to link to other devices, or it might be a convention used to allow communication between two software systems. by Creston Electronics.

Assessment

Creston Electronics released a security update to address 5 critical vulnerabilities in the DM-TXRX-100-STR web interface.  Exploitation of these vulnerabilities can allow for authentication AuthenticationA process or measure used to verify a users identity. bypass, unauthorized access and cross-site request forgery.  Vulnerable devices also contain hard-coded administrative credentials and a publicly known cryptographic key Cryptographic keyA numerical value used in cryptographic processes, such as encryption, decryption, signature generation, and signature verification.

Affected versions:
DM-TXRX-100-STR versions prior to 1.3039.00040

CVE References: CVE-2016-5666, CVE-2016-5667, CVE-2016-5668, CVE-2016-5669, CVE-2016-5670, CVE-2016-5671

One vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. (CVE-2016-5671) remains unpatched, with a firmware update forthcoming from the manufacturer.

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.  For the vulnerability without a released update, system administrators should monitor for its release then their organization's patch management process should be actioned accordingly.  Any default device passwords should be reset, then changed regularly using a strong password policy.

References

Vendor Download:   
https://www.crestron.com/resources/resource-library/firmware

Advisories:
http://www.kb.cert.org/vuls/id/974424
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5666
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5667  
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5668
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5669
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5670
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5671

Date modified: