Multiple wireless presentation systems have critical vulnerabilities – including a remote command-injection glitch and an unauthenticated remote stack buffer overflow flaw.
Wireless presentation systems allow users to display their content directly from their laptop (no network cable necessary) by connecting their device to the system via an installed app or web browser.
Overall, researchers with Tenable on Tuesday disclosed 15 vulnerabilities – with the majority of these impacting Crestron AirMedia. However, two of those 15 vulnerabilities, CVE-2019-3929 and CVE-2019-3930, impact an array of presentation platform systems: Including Crestron, Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS.
That’s because all eight brands share the same underlying code, said Jacob Baines, researcher with Tenable in a post this week. The underlying software for the products was developed by Barco’s subsidiary AWIND – the subsequent issue, he said, is a tangle of different vulnerabilities in multiple brands.
“So what have we seen here? A resold platform that has different levels of patching across different vendors,” he said. “Slow patch deployment amongst the user base. Difficult to obtain firmware. Installations that expose the devices to the internet. And, finally, poor software development practices that left all the devices open to unauthenticated remote code execution.”
Of the two vulnerabilities impacting all eight brands, CVE-2019-3930 is more severe. The unauthenticated remote stack buffer overflow vulnerability has a CVSS Score of 9.7 out of 10. It exists in the function of the device called PARSERtoCHAR, which sometimes does not authenticate CGI scripts (common gateway interface scripts, which are a standard protocol for web servers to execute programs) that are sent via HTTP.
That means a remote, unauthenticated attacker could abuse the vulnerability to execute arbitrary code through a crafted request to the return.cgi endpoint.
CVE-2019-3929 meanwhile is an unauthenticated remote command injection flaw that could enable a remote, unauthenticated attacker to execute operating system commands by sending crafted requests to the HTTP endpoint file_transfer.cgi. The flaw has a CVSS score of 9.6 out of 10, making it critical.
The remaining 13 CVEs are tied to bugs in the Crestron AirMedia AM-100 and AM-101 wireless presentation system models. Making matters worse, less than 18 percent of Crestron AM-101 users have the most recent firmware (released June 2018) said Baines.
These flaws include two unauthenticated remote OS command infection vulnerabilities (CVE-2019-3925,CVE-2019-3926). Both critical flaws stem from the Simple Network Management Protocol (SNMP) in the device and could enable a remote, unauthenticated attacker to inject operating system commands.
Other flaws could allow an unauthenticated attacker to make an admin password change (CVE-2019-3927), view or change presentation details (CVE-2019-3928) upload files to the presentation device remotely (CVE-2019-3931) and launch a Denial of Service attack on the “remote view” of the presentation system (CVE-2019-3936), among other things.
Crestron has issued fixes for all CVEs listed except for one. The patches will begin begin rolling out May 31, and continue with some updates occurring as late as July. One flaw (CVE-2017-16709) is not patched. Researchers said that Crestron in June 2018 had claimed to fix this authenticated, remote command injection flaw, however, “analysis of the other devices indicated they had not patched this vulnerability,” researchers said.
Presentation systems are increasingly insecure, as a new Mirai varianthas been spotted targeting presentation systems including the WePresent WiPG-1000.