Improper access control in Crestron Electronics products - CVE-2018-10630

 

Improper access control in Crestron Electronics products - CVE-2018-10630

Published: August 10, 2018


Vulnerability identifier: #VU14302
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10630
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Crestron Electronics
Affected software:
TSW-560-NC
TSW-760-NC
TSW-1060-NC
TSW-560
TSW-760
TSW-1060
MC3

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to the devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. A remote unauthenticated attacker can bypass security restrictions and gain access to the CTP console.


How to mitigate CVE-2018-10630

Update TSW-X60 to version 2.001.0037.001.
Update MC3 to version 1.502.0047.001.

Sources