The near future, according to safe researcher discovery, crestron, Barco WePresent and Extron ShareLink include popularly on the market inside 8 kinds wireless demonstrate a system to be put in a series of serious flaw, the likelihood brings safe hidden trouble to the person that use.
Crucial flaw
Wireless demonstrate a system to allow an user to apply program or Web browser to join its equipment to the system through what already installed, show its notebook computer directly thereby (need not network cable joins) the content that go up. However, many wireless the serious flaw that demonstrates systematic existence, include telecommand infuse flaw and the long-range stack buffer without identity test and verify to spill over flaw.
Overall and character, the researcher of safe company Tenable last week 2 revealed 15 flaw -- what affect for the most part among them is Crestron AirMedia. However, two in these 15 flaw (CVE-2019-3929 and CVE-2019-3930) , affected a series of wireless demonstrate a system: Besides Crestron, still include Barco WePresent, Extron ShareLink, InFocus LiteShow, TEQ AVIT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro and Blackbox HD WPS.
Investigate its reason, tenable researcher Jacob Baines discovers because these 8 kinds of systems share same fundamental code,this is, these are wireless the fundamental software that demonstrates a system is developed by the subsidiary AWIND of Barco company.
In two flaw that affect 8 kinds of all systems, CVE-2019-3930 is more serious, its spill over without the long-range stack buffer of identity test and verify the CVSS of flaw [grading is 9.7 (full marks 10) . The name is its consist in in the function of PARSERtoCHAR equipment, the CGI script that won't send to passing HTTP sometimes (script of general gateway interface, the standard agreement that is Web server executive program) undertake identity test and verify. This means what can use this flaw to pass elaborate establishment without the long-range aggressor of identity test and verify to return.cgi end points to request to implement aleatoric code.
In the meantime, CVE-2019-3929 is a telecommand infuse flaw without identity test and verify, can make the long-range, aggressor without identity test and verify passes the request that sends elaborate design to File_transfer.cgi of HTTP end points to execute operating system order. Grading is the CVSS of this blemish 9.6 minutes (full marks 10 minutes) , not allow to ignore likewise.
Crestron AirMedia demonstrates a system
Besides afore-mentioned two large crucial hole, the rest 13 flaw all are mixed with Crestron AirMedia AM-100 AM-101 is wireless the Bug in demonstrating systematic model is relevant. Worse is, the Crestron AM-101 user that does not have 18% only merely has newest firmware (released in June 2018) .
These blemish include two long-range operating systems without identity test and verify to command infection flaw (CVE-2019-3925 and CVE-2019-3926) . Both results from the simple network in equipment runs an agreement (SNMP) , can make the operating system of long-range aggressor infuse without identity test and verify commands.
Circumstance of Crestron AM updating equipment
Other flaw allows to change administrator code without the aggressor of identity test and verify (CVE-2019-3927) ; Examine or change demonstrated detailed information (CVE-2019-3928) ; Upload the file remotely to demonstrate equipment (CVE-2019-3931) ; Start those who reject to serve attack to demonstrate a system " long-range view " (CVE-2019-3936) etc.
Crestron had been listed major CVE to issue repair order at present, besides CVE-2017-16709. Repair patch will be rolled out on May 31, be in July proceed a few update. Researcher expresses, the telecommand infuse flaw that although Crestron claimed to want in June 2018,repair passes test and verify this (CVE-2017-16709) , but through " show to the analysis of other equipment they did not repair this flaw.
Other and wireless the development business that demonstrates a system also released to this newer: Barco released firmware to update for its WiPG-1000P and WiPG-1600W system, extron also released corresponding firmware to update.
Current, the safety that demonstrates a system makes a person anxious, be in even before, new Mirai is aberrant what had been been aimed at to include WePresent WiPG-1000 inside by discovery is wireless demonstrate a system.
