{"vuid":"VU#603047","idnumber":"603047","name":"Crestron AirMedia AM-100 contains multiple vulnerabilities","keywords":["CWE-22","CWE-77","path traversal","command injection"],"overview":"The Crestron AirMedia AM-100 with firmware prior to version 1.4.0.13 is vulnerable to path traversal and command injection.","clean_desc":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2016-5639 A path traversal vulnerability exists in login.cgi (and possibly other binaries in the /home/boa/cgi-bin directory) on the AM-100 embedded web server. The src GET parameter passed to login.cgi specifies the relative path to a file for rendering, such as AwLoginDownload.html. However, the value of this parameter can specify an arbitrary path on the AM-100 filesystem. CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CVE-2016-5640 A command injection vulnerability exists in rftest.cgi on the AM-100 embedded web server. The ATE_COMMAND POST parameter specifies the path to a command for the underlying OS to execute. By default, the value of this parameter is /sbin/iwpriv; however, the value of this parameter can be a relative or absolute path to any arbitrary command on the underlying OS. Crestron AirMedia AM-100 firmware v1.1.1.11 - v1.2.1 are confirmed affected by the researcher. For more information see the researcher's advisory one and advisory two.","impact":"An unauthenticated remote user may be able to access arbitrary files from the device filesystem, or execute arbitrary OS commands on the device.","resolution":"Apply an update Crestron has released firmware version 1.4.0.13 to address these issues. Affected users should update the firmware of their AM-100 as soon as possible.","workarounds":"","sysaffected":"","thanks":"Thanks to Zach Lanier of Cylance, Inc., for reporting this vulnerability.","author":"This document was written by Garret Wassermann.","public":["http://www.crestron.com/products/model/AM-100","https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md","https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-002.md","http://cwe.mitre.org/data/definitions/22.html","http://cwe.mitre.org/data/definitions/77.html"],"cveids":["CVE-2016-5639","CVE-2016-5640"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-07-19T19:39:47Z","publicdate":"2016-08-01T00:00:00Z","datefirstpublished":"2016-08-01T19:54:40Z","dateupdated":"2016-08-02T15:15:34Z","revision":24,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"8.3","cvss_environmentalscore":"6.19533741456","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}