Advisory Details

August 14th, 2018

Crestron Multiple Products CTP Console Incorrect Default Permissions Remote Code Execution Vulnerability

ZDI-18-932
ZDI-CAN-6173

CVE ID CVE-2018-10630
CVSS SCORE 10.0, AV:N/AC:L/Au:N/C:C/I:C/A:C
AFFECTED VENDORS Crestron
AFFECTED PRODUCTS MC3
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute execute arbitrary code on vulnerable installations of Crestron products. Authentication is not required to exploit this vulnerability.

The specific flaw exists due to authentication being disabled by default on all Crestron devices. An attacker can leverage this vulnerability to execute code under the context of Administrator.
ADDITIONAL DETAILS Crestron has issued an update to correct this vulnerability. More details can be found at:
https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01
DISCLOSURE TIMELINE
  • 2018-05-08 - Vulnerability reported to vendor
  • 2018-08-14 - Coordinated public release of advisory
  • 2018-08-14 - Advisory Updated
CREDIT Ricky "HeadlessZeke" Lawshae
BACK TO ADVISORIES