Multiple models of Harman AMX multimedia devices contain a hard-coded debug account.
CWE-798: Use of Hard-coded Credentials - CVE-2015-8362
According to the researchers' blog post, several models of Harman AMX multimedia devices contain a hard-coded "backdoor" account with administrative permissions. Further details are available in the researchers' vulnerability advisory. AMX firmware release notes indicate this was a debugging account left in the released firmware.
Affected devices include but are not limited to:
An attacker with knowledge of the account credentials can obtain administrative access on the device.
Apply an updateAMX has released an update for some devices. Affected users are encouraged to contact Harman's support line for more information on obtaining the update.
Restrict network access
Thanks to Johannes Greil of SEC Consult for reporting this vulnerability.
This document was written by Garret Wassermann.
|Date First Published:||2016-01-21|
|Date Last Updated:||2016-01-27 23:50 UTC|