August 2018 Crestron Vulnerability Report
For a number of years now, Crestron has been designing systems with a focus on integration into and along with Enterprise IT infrastructure. Support for Active Directory, 802.1x and SNMP, as well as a shift to industry standard protocols including support for SSH and the latest versions of TLS, is a top priority. Products are rigorously tested to ensure stability and compatibility within the Enterprise.
A large part of this is designing systems with security in mind. Part of the U.S. Department of Defense, the Joint Interoperability Test Command (JITC) conducts testing for network devices on behalf of the U.S. Military. Security functions are of course the highest priority but testing also touches on interoperability and other operational functionality. While focused on the needs of the DoD and other federal agencies, the test criteria are applicable to any professionally managed enterprise. Crestron has nearly 100 products that have been tested and placed on the on the Approved Product List.
Once a product is released, Crestron also regularly reviews the National Vulnerability Database and Common Vulnerabilities and Exposures Database for any applicable security flaws and makes certain that any required patches are given the highest possible priority and provided to all customers free of charge. In addition, Crestron works with independent researchers that hunt for vulnerabilities, typically on behalf of a particular client.
Recent Vulnerability Report
We were notified of a potential security threat in March. Crestron takes security very seriously and worked to immediately resolve the issue. Within 60 days of notification, Crestron had a resolution and sent communications to customers and dealers recommending a firmware update. We welcome this type of article, as it helps highlight the vulnerability while acknowledging resolution. Crestron is committed to the most secure workplace technologies in the world. Beyond updating firmware, Crestron recently released XiO Cloud, an award-winning IoT-based provisioning and management tool that makes managing firmware a cinch, reducing risks associated with outdated devices.
These vulnerabilities (found on the TSW-760 touchscreen and MC3 control system) are now being publicized as is common practice. As noted, these vulnerabilities were responsibly reported to Crestron ahead of any disclosures and all vulnerabilities were mitigated or resolved by May 2018.
It is Crestron’s opinion that the vulnerabilities, while serious, are largely mitigated by following Crestron’s Secure Deployment Guide and using standard network best practices.
The vulnerabilities, summarized below, were found on systems without any authentication or other security features enabled. It should also be noted that NONE of these vulnerabilities are known by Crestron to have been used in any actual exploits.
All of the following are addressed in version 2.001.0037.001 and higher.
CVE-2018-11228 and CVE-2018-11229: OS Command Injection
Both of these reports essentially noted that by using the Telnet Console or the CTP Console, it was possible to create specially formed commands that might allow a user root access or access to the file system. If a device had authentication on, both of these clients are closed by default and only SSH remains. In this case, only an authenticated user would be able to create these specially formed commands. In the firmware update, the ability to create these specially formed commands has been blocked.
CVE-2018-13341: Elevation of Privilege in Crestron Terminal Protocol
Crestron TSW-XX60 touchscreens have a debug specific command called SUDO that provides for engineering diagnostics and manufacturing commands. In earlier versions of the TSW firmware, the command was able to be executed by a non-administrator. In addition, the password generator application itself was on the file system, allowing a non-administrator to effectively generate the key to execute the debug commands. In all cases, if authentication was enabled, only an authenticated user could have attempt to exploit this vulnerability.
However, to eliminate any possible confusion, the supwdgenerator executable has been completely removed from the device and the original generation algorithm has been modified. In addition, only an administrator can now run the SUDO diagnostics.
The MC3 also has the SUDO command, however, it has always been accessible only to an authenticated administrator. In addition, there was never an accessible password generator on the file system.
CVE-2018-10630: Improper Access Control
All of the following are addressed in version 1.502.0047.001 and higher.
This is simply noting that authentication is not enabled by default on Crestron devices. This is by current design.
To avoid confusion, with the minimum firmware version listed below, Crestron’s CTP Console and Telnet access are now disabled by default. Only SSH is available for configuration. If the device does not have authentication enabled, an SSH Banner will display a warning which recommends securing the device. In addition, the WHOAMI command response on an unsecured device now correctly responds the user is Unknown instead of an administrator.
Crestron intends to implement these features on any device that implements authentication features.
Call to Action
TSW-X60 (login required)
MC3 (login required)
While Crestron’s Secure Deployment Guide has a large number of options, only one command is necessary to enable the security features required to eliminate this vulnerability.
Either enter “AUTH ON” on the console command line, or use the Toolbox Authentication dialogs.
You will be prompted for the name and password of an Administrator account. DO NOT LOSE THIS INFORMATION. THE SYSTEM CANNOT BE ACCESSED WITHOUT THIS INFORMATION. At this time, FTP, HTTP, and TELNET services will be disabled. HTTPS will continue to be available.
Refer to Secure My Crestron System for more information on hardening devices which includes links to the following documents:
Crestron also recommends that users refer to Security Advisories for more information about these and other vulnerabilities.