Crestron Electronics Affected

Notified:  April 25, 2016 Updated: July 28, 2016

Statement Date:   July 26, 2016

Status

Affected

Vendor Statement

The following were fully resolved in 1.3.39.00040 - CWE-603: Use of Client-Side Authentication - CVE-2016-5666 - CWE-425: Direct Request ('Forced Browsing') - CVE-2016-5667 - CWE-306: Missing Authentication for Critical Function - CVE-2016-5668 - - CWE-321: Use of Hard-coded Cryptographic Key - CVE-2016-5669 - CWE-255: Credentials Management - CVE-2016-5670 - was partially addressed in 1.3.39.00040. Users now have the ability to modify the password on the device page of the web interface. Other credentials management enhancements will be implemented in a future firmware release. It is recommended to change the default password on the device page when commissioning the device. CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-5671 - will be addressed in a future release.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.