AMX Addressing Multiple Vulnerabilities

Thursday, February 18, 2016 @ 05:02 PM gHale


There was a public report of credential management vulnerabilities in a boatload of Harman AMX multimedia devices, according to a report on ICS-CERT.

AMX confirmed the existence of hard-coded passwords in multiple products and created patches and new product versions to mitigate one of the vulnerabilities in the affected products.

RELATED STORIES
B+B SmartWorx Fixes Bypass Vulnerability
Siemens Fixes SIMATIC S7 Woes
Tollgrade Fixes SmartGrid System Holes
Westermo Updates Switch Vulnerability

AMX is working to release new product versions to mitigate the remaining credential management vulnerability in their affected products. These vulnerabilities are remotely exploitable and exploits are publicly available.

The following AMX multimedia devices suffer from the vulnerability labeled CVE-2015-8362:
• NX-1200, NX-2200, NX-3200, NX-4200 NetLinx Controller, versions prior to Version 1.4.65
• Massio ControlPads MCP-10x, versions prior to Version 1.4.65
• Enova DVX-x2xx, versions prior to Version 1.4.65
• DVX-31xxHD-SP (-T), versions prior Version 4.8.331
• DVX-21xxHD-SP (-T), versions prior Version 4.8.331
• DVX-2100HD-SP-T Master, versions prior to Version 4.1.420 (Hotfix firmware version)
• Enova DGX 100 NX Series Master, versions prior to Version 1.4.72 (Hotfix firmware version)
• Enova DGX 8/16/32/64 NX Series Master, versions prior to Version 1.4.72 (Hotfix firmware version)
• Enova DGX 8/16/32/64 NI Series Master, versions prior to Version 4.2.397 (Hotfix firmware version)
• NI-700, NI-900 Master Controllers (64M RAM), versions prior to Version 4.1.419
• NI-700, NI-900 Master Controllers (32M RAM), versions prior to Version 3.60.456 (Hotfix firmware version)
• NI-2100, NI-3100, NI-4100, NI-2100 with ICSNet, NI-3100 with ICSNet, NI-3100/256
• NI-3100/256 with ICSNet, NI-4100/256, versions prior to Version 4.1.419
• NI-3101-SIG Master Controller, versions prior to Version 4.1.419
• NI-2000, NI-3000, NI-4000, versions prior to Version 3.60.456 (Hotfix firmware version)
• ME260/64 Duet, versions prior to Version 3.60.456 (Hotfix firmware version)

The following AMX multimedia devices suffer from the vulnerability labeled CVE-2016-1984:
• NX-1200, NX-2200, NX-3200, NX-4200 NetLinx Controller, Version 1.4.65 and Version 1.4.66 (Hotfix firmware version)
• Massio ControlPads MCP-10x, Version 1.4.65 and Version 1.4.66 (Hotfix firmware version)
• Enova DVX-x2xx, Version 1.4.65 and Version 1.4.72 (Hotfix firmware version)
• Enova DGX 100 NX Series Master, Version 1.4.72 (Hotfix firmware version)
• Enova DGX 8/16/32/64 NX Series Master, Version 1.4.72 (Hotfix firmware version)

Successful exploitation of these vulnerabilities may allow an attacker to remotely gain access to the affected systems with elevated privileges to configure user interfaces, change device settings, upload files, and download files.

AMX is part of the Harman Professional Division, which provides audio and video solutions for IT environments. AMX is a U.S.-based company headquartered in Dallas, Texas.

The affected products see use for audio and video automation in conference rooms and classrooms. According to AMX, these products see action across the commercial facilities and government facilities sectors. AMX estimates these products see use on a global basis.

Affected devices contain a hard-coded password for a diagnostic account with elevated privileges that can end up used to configure user settings, device settings, upload files, and download files.

CVE-2015-8362 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.9.

Affected devices contain a hard-coded password for an account that has privileges to exchange Internet Control System Protocol (ICSP) messages, which can end up accessed via Port 1319/TCP and UDP. AMX reports this hard-coded password affects firmware Version 1.4.x.

CVE-2016-1984 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.8 assigned by AMX.

An attacker with a low skill would be able to exploit these vulnerabilities.

AMX reported the release of standard firmware versions and Hotfix firmware versions, which mitigates vulnerability, CVE-2015-8362, in the affected products. Click here for AMX’s standard firmware releases for affected products.

AMX’s Hotfix firmware versions should mitigate vulnerability, CVE-2015-8362, until standard firmware versions are available. AMX’s Hotfix firmware versions are available through AMX Tech Support.

AMX said older devices may require interim firmware updates if the currently installed firmware is older than the versions listed in the dependencies columns. For more information read the Product Release Notes or contact AMX Tech Support.

The credential management vulnerability, CVE-2016-1984, affects firmware, Version 1.4.65 through Version 1.4.72. AMX is planning to address this vulnerability in a later version, scheduled for release in April 2016.

AMX recommends users consider applying the following interim mitigations until product updates are available:

Most NX series devices have a secondary port (ICSLAN) intended for the connection of AMX client devices. ICSP must remain enabled on any network, which the Central Controller connects to AMX Client devices in order for the system to operate as a functional control system.

AMX recommends users consider applying the following interim mitigations:

If no ICSP devices end up connected to the NX series devices, via the LAN (external) interface, disable ICSP control protocol on the external interface from the basic administrative interface.

Isolate vulnerable systems from the Internet and untrusted systems.



Leave a Reply

You must be logged in to post a comment.