Crestron console service has critical vulnerability

Rapid7 researchers disclosed a command injection vulnerability that can be exploited to gain root-level access to the Crestron console service and allow adversaries to control commands that are being executed on the system.

Crestron Electronics is a provider of advanced control and automation solutions for the office, campus and home, ranging from home security systems, to audio and video distribution, to building and enterprise management systems.

The Crestron Digital Graphics Engine 100, or DGE-100, is a hardware controller used to connect a touchscreen interface, such as Crestron TSD-2220 HD touchscreen display, to external sources over HDMI, USB, or Ethernet. While Crestron Electronics distributes this device globally, the device is usually installed in corporate meeting spaces or control rooms.

Rapid7 explained that the vulnerability, CVE-2018-5553, is considered critical, having a base CVSSv3 scored of 9.8. The command injection vulnerability is in the Crestron console service that is preinstalled on the DGE-100 and other devices. Due to a lack of input sanitization, the Crestron console service is vulnerable to command injection that can be used to gain root-level access, giving attackers the ability to control one or multiple commands that are being executed on the system.

The Crestron console service on the DGE-100 listens on TCP port 41795 and requires “a proprietary management tool” to use. Yet Rapid7 noted that “DGE-100 devices do not require credentials for administrative access to the console service by default. By connecting to this service with netcat and using the ping command with an argument constructed of shell-expandable variables, it is possible to inject operating system commands that will be executed by this console, which itself runs as root.”

Impact of the Crestron flaw

As for the impact, Rapid7 explained:

If default configuration is left in place (i.e. if credentials are not required for administrative access), anyone with the ability to connect to the device’s TCP port 41795 is effectively able to elevate to a root shell on the device. This would make it possible for attackers to co-opt the device for a persistent “beachhead” into the affected network and launch attacks from an affected DGE-100.

Since root access offers unfettered access to the device’s core functionality, it is likely that attackers with this privileged position would be able to intercept and modify any data that the device handles, including the normal video or control data being served over the Ethernet, HDMI, or USB ports.        

Rapid7 researchers Cale Black and Jordan Larose discovered the vulnerability in March. Crestron released a patch on June 4, 2018.

Update firmware of affected Crestron devices

Affected devices, according to Crestron, are the DGE-100, DM-DGE-200-C, and TS-1542-C. The minimum firmware version to address this vulnerability is 1.3384.00059.001.

Crestron said it took “immediate action” to create updates to remediate this concern and has “no evidence of any customers being impacted by the issue.”