Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management interface which contains multiple vulnerabilities, including authentication bypass, failure to restrict access to authorized users, use of hard-coded certificate, default credentials, and cross-site request forgery (CSRF). These vulnerabilities may be leveraged to gain complete control of affected devices.
Crestron Electronics DM-TXRX-100-STR is a "streaming encoder/decoder designed to enable the distribution of high-definition AV signals over an IP network." The DM-TXRX-100-STR is configurable via a web interface that contains multiple vulnerabilities.
CWE-603: Use of Client-Side Authentication - CVE-2016-5666
A remote, unauthenticated attacker may gain administrative access through numerous contexts to take complete control of vulnerable devices.
Apply an upgrade
Restrict network access and use strong passwords
Thanks to Carsten Eiram of Risk Based Security for reporting these vulnerabilities.
This document was written by Joel Land.