Crestron Electronics Information for VU#974424

Crestron Electronics DM-TXRX-100-STR web interface contains multiple vulnerabilities

Status

Affected

Vendor Statement

The following were fully resolved in 1.3.39.00040
- CWE-603: Use of Client-Side Authentication - CVE-2016-5666
- CWE-425: Direct Request ('Forced Browsing') - CVE-2016-5667
- CWE-306: Missing Authentication for Critical Function - CVE-2016-5668 -
- CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-5669 -

CWE-255: Credentials Management - CVE-2016-5670 - was partially addressed in 1.3.39.00040. Users now have the ability to modify the password on the device page of the web interface. Other credentials management enhancements will be implemented in a future firmware release. It is recommended to change the default password on the device page when commissioning the device.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-5671 - will be addressed in a future release.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.