A vulnerability classified as critical was found in Crestron AM-100 and AM-101. Affected by this vulnerability is an unknown function of the file /images/browserslide.jpg. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality. The summary by CVE is:

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code.

The bug was discovered 05/01/2019. The weakness was released 04/30/2019. This vulnerability is known as CVE-2019-3933 since 01/03/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

The commercial vulnerability scanner Qualys is able to test this issue with plugin 13484 (Crestron AM-100 and AM-101 Multiple Vulnerabilities).

Proper firewalling of is able to address this issue.

Entries connected to this vulnerability are available at VDB-134273, VDB-134274, VDB-134275 and VDB-134276. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Affected

• Crestron AM-100 1.6.0.2
• Crestron AM-101 2.7.0.2

Productinfo

Vendor

• Crestron

Name

• AM-100
• AM-101

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion