This updated advisory is a follow-up to the original advisory titled ICSA-16-049-02 AMX Multiple Products Credential Management Vulnerabilities that was published February 18, 2016, on the NCCIC/ICS-CERT web site.
--------- Begin Update A Part 1 of 2 --------
ICS-CERT has become aware of public reporting of credential management vulnerabilities in multiple AMX multimedia devices. AMX has confirmed the existence of hard-coded passwords in multiple products. AMX has produced patches and new product versions to mitigate the vulnerabilities in the affected products. AMX has released new product versions to mitigate the remaining credential management vulnerability in their affected products.
--------- End Update A Part 1 of 2 ----------
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are known to be publicly available.
The following AMX multimedia devices are affected by vulnerability CVE-2015-8362:
The following AMX multimedia devices are affected by vulnerability CVE-2016-1984:
Successful exploitation of these vulnerabilities may allow an attacker to remotely gain access to the affected systems with elevated privileges to configure user interfaces, change device settings, upload files, and download files.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
AMX is part of the Harman Professional Division, which provides audio and video solutions for IT environments. AMX is a US-based company that is headquartered in Dallas, Texas.
The affected products are used for audio and video automation in conference rooms and classrooms. According to AMX, these products are deployed across the Commercial Facilities and Government Facilities sectors. AMX estimates that these products are used worldwide.
Affected devices contain a hard-coded password for a diagnostic account with elevated privileges that can be used to configure user settings, device settings, upload files, and download files.
CVE-2015-8362b has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned by AMX; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H).c
Affected devices contain a hard-coded password for an account that has privileges to exchange Internet Control System Protocol (ICSP) messages, which are accessed via Port 1319/TCP and UDP. AMX reports that this hard-coded password affects firmware Version 1.4.x.
CVE-2016-1984e has been assigned to this vulnerability. A CVSS v3 base score of 5.8 has been assigned by AMX; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N).f
These vulnerabilities could be exploited remotely.
Exploits that target these vulnerabilities are known to be publicly available.
An attacker with a low skill would be able to exploit these vulnerabilities.
AMX has reported the release of standard firmware versions and Hotfix firmware versions, which mitigates vulnerability, CVE-2015-8362, in the affected products. AMX’s standard firmware releases for affected products are available for download at the following URL, with a valid account:
<http://www.amx.com/techcenter/>.
AMX’s Hotfix firmware versions are intended to mitigate vulnerability, CVE-2015-8362, until standard firmware versions are available. AMX’s Hotfix firmware versions are available through AMX Tech Support. AMX Tech Support may be reached at (US) 800-932-6993, (International) +1-469-624-8000 or by email at:
AMX has indicated that older devices may require interim firmware updates if the currently installed firmware is older than the versions listed in the dependencies columns. For more information read the Product Release Notes or contact AMX Tech Support.
--------- Begin Update A Part 2 of 2 --------
The credential management vulnerability, CVE-2016-1984, affects firmware Versions 1.4.65 through 1.4.72. AMX has released firmware to mitigate these vulnerabilities. The following software versions should be applied to mitigate the credential management vulnerability:
AMX’s standard firmware releases for affected products are available for download at the following URL, with a valid account:
<http://www.amx.com/techcenter/>.
--------- End Update A Part 2 of 2 ----------
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
Contact Information
For any questions related to this report, please contact the CISA at:
Email: [email protected]
Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics
or incident reporting: https://us-cert.cisa.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we’d welcome your feedback.
twitter.com/icscert
www.amx.com/techcenter/
www.amx.com/techcenter/
twitter.com/share?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-16-049-02
www.addthis.com/bookmark.php?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-16-049-02
www.cisa.gov
www.cisa.gov
www.cisa.gov/ics
www.cisa.gov/uscert
www.dhs.gov
www.dhs.gov/
www.dhs.gov/freedom-information-act-foia
www.dhs.gov/homeland-security-no-fear-act-reporting
www.dhs.gov/plain-writing-dhs
www.dhs.gov/plug-information
www.dhs.gov/privacy-policy
www.facebook.com/sharer.php?u=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-16-049-02
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-16-049-02
www.usa.gov/
www.whitehouse.gov/