When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface.

Details

Product: Crestron HD-MD4X2-4K-E Affected Versions: 1.0.0.2159 Fixed Versions: - Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E Vendor Status: decided not to fix Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009 Advisory Status: published CVE: CVE-2022-23178 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178

Introduction

“Crestron sets the gold standard for network security by leveraging the most advanced technologies including 802.1x authentication, AES encryption, Active Directory® credential management, JITC Certification, SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to provide network security at the product level.”

(from the vendor’s homepage)

More Details

Upon visiting the device’s web interface using a web browser, a login form is displayed requiring to enter username and password to authenticate. The analysis of sent HTTP traffic revealed that in addition to the loading of the website, a few more HTTP requests are automatically triggered. One of the associated responses contains a username and a password which can be used to authenticate as the affected user.

Proof of Concept

Requesting the URL “http://crestron.example.com/” via a web browser results in multiple HTTP requests being sent. Among others, the following URL is requested:

---

http://crestron.example.com/aj.html?a=devi&_=[…]

This request results in a response similar to the following:

---

HTTP/1.0 200 OK Cache-Control: no-cache Content-type: text/html

{ "login_ur": 0, "front_val": [ 0, 1 ], "uname": "admin", "upassword": “password” }

---

The values for the keys “uname” and “upassword” could be used to successfully authenticate to the web interface as the affected user.

Workaround

Reachability over the network can be restricted for access to the web interface, for example by using a firewall.

Fix

No fix known.

Security Risk

As user credentials are disclosed to visitors of the web interface they can directly be used to authenticate to it. The access allows to modify the device’s input and output settings as well as to upload and install new firmware. Due to ease of exploitation and gain of administrative access this vulnerability poses a high risk.

Timeline

2021-10-06 Vulnerability identified 2021-11-15 Customer approved disclosure to vendor 2021-12-08 Vendor notified 2021-12-15 Vendor notified again 2021-12-21 Vendor response received: “The device in question doesn’t support Crestron’s security practices. We recommend the HD-MD-4KZ alternative.” 2021-12-22 Requested confirmation, that the vulnerability will not be addressed. 2021-12-28 Vendor confirms that the vulnerability will not be corrected. 2022-01-12 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/