Crestron AM-100/AM-101 HTTP Endpoint file_transfer.cgi System Command command injection
|CVSS Meta Temp Score|
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
|Current Exploit Price (≈)|
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
|CTI Interest Score|
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
A vulnerability was found in Crestron AM-100 and AM-101. It has been classified as very critical. This affects an unknown part of the file file_transfer.cgi of the component HTTP Endpoint. The manipulation as part of a System Command leads to a privilege escalation vulnerability. CWE is classifying the issue as CWE-77. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
The Crestron AM-100 firmware 220.127.116.11, Crestron AM-101 firmware 18.104.22.168, Barco wePresent WiPG-1000P firmware 22.214.171.124, Barco wePresent WiPG-1600W before firmware 126.96.36.199, Extron ShareLink 200/250 firmware 188.8.131.52, Teq AV IT WIPS710 firmware 184.108.40.206, SHARP PN-L703WA firmware 220.127.116.11, Optoma WPS-Pro firmware 18.104.22.168, Blackbox HD WPS firmware 22.214.171.124, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 126.96.36.199 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
The bug was discovered 05/01/2019. The weakness was disclosed 04/30/2019 (Website). The advisory is shared at exploit-db.com. This vulnerability is uniquely identified as CVE-2019-3929 since 01/03/2019. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/05/2020).
The commercial vulnerability scanner Qualys is able to test this issue with plugin 13484 (Crestron AM-100 and AM-101 Multiple Vulnerabilities).
It is possible to mitigate the weakness by firewalling .
- Crestron AM-100 188.8.131.52
- Crestron AM-101 184.108.40.206
- Barco wePresent WiPG-1000P 220.127.116.11
- Barco wePresent WiPG-1600W 2.4.1
- Extron ShareLink 200/Extron ShareLink 200 250 18.104.22.168
- Teq AV IT WIPS710 22.214.171.124
- SHARP PN-L703WA 126.96.36.199
- Optoma WPS-Pro 188.8.131.52
- Blackbox HD WPS 184.108.40.206
- InFocus LiteShow3 1.0.16
- InFocus LiteShow4 220.127.116.11
CVSSv3VulDB Meta Base Score: 9.8
VulDB Meta Temp Score: 9.6
VulDB Base Score: 9.8
VulDB Temp Score: 9.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
ExploitingClass: Privilege escalation
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat IntelligenceThreat: 🔍
0-Day Time: 🔍
04/30/2019 +117 days 🔍
05/01/2019 +1 days 🔍
05/01/2019 +0 days 🔍
06/05/2020 +401 days 🔍
CVE: CVE-2019-3929 (🔍)
See also: 🔍
EntryCreated: 05/01/2019 02:06 PM
Updated: 06/05/2020 11:16 AM
Changes: (2) vulnerability_discoverydate advisory_url
Interested in the pricing of exploits?
See the underground prices here!