#VU14302 Improper access control in Crestron Electronics products - CVE-2018-10630
Published: August 10, 2018
Vulnerability identifier: #VU14302
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10630
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TSW-560-NC
TSW-760-NC
TSW-1060-NC
TSW-560
TSW-760
TSW-1060
MC3
TSW-560-NC
TSW-760-NC
TSW-1060-NC
TSW-560
TSW-760
TSW-1060
MC3
Software vendor:
Crestron Electronics
Crestron Electronics
Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to the devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. A remote unauthenticated attacker can bypass security restrictions and gain access to the CTP console.
Remediation
Update TSW-X60 to version 2.001.0037.001.
Update MC3 to version 1.502.0047.001.
Update MC3 to version 1.502.0047.001.