Sign-up

ID

VAR-201608-0084


CVE

CVE-2016-5671


TITLE

Crestron Electronics DM-TXRX-100-STR web interface contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#974424

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities on Crestron Electronics DM-TXRX-100-STR devices with firmware through 1.3039.00040 allow remote attackers to hijack the authentication of arbitrary users. These vulnerabilities may be leveraged to gain complete control of affected devices. Crestron Electronics DM-TXRX-100-STR is prone to the following multiple security vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. Multiple security-bypass vulnerabilities 3. A cross-site request-forgery vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform certain unauthorized actions , bypass the authentication mechanism and compromise the application; This may aid in further attacks. Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and prior versions are vulnerable. Crestron Electronics DM-TXRX-100-STR is a stream encoder/decoder product from Crestron Electronics, USA. A remote attacker could exploit this vulnerability to perform unauthorized operations

Trust: 2.7

sources: NVD: CVE-2016-5671 // CERT/CC: VU#974424 // JVNDB: JVNDB-2016-004135 // BID: 92211 // VULHUB: VHN-94490

AFFECTED PRODUCTS

vendor:crestronmodel:dm-txrx-100-strscope:lteversion:1.2866.00026

Trust: 1.0

vendor:crestronmodel: - scope: - version: -

Trust: 0.8

vendor:crestronmodel:dm-txrx-100-strscope: - version: -

Trust: 0.8

vendor:crestronmodel:dm-txrx-100-strscope:lteversion:1.3039.00040

Trust: 0.8

vendor:crestronmodel:dm-txrx-100-strscope:eqversion:1.2866.00026

Trust: 0.6

vendor:crestronmodel:electronics dm-txrx-100-strscope:eqversion:1.2866.00026

Trust: 0.3

vendor:crestronmodel:electronics dm-txrx-100-strscope:neversion:1.3039.00040

Trust: 0.3

sources: CERT/CC: VU#974424 // BID: 92211 // JVNDB: JVNDB-2016-004135 // CNNVD: CNNVD-201608-008 // NVD: CVE-2016-5671

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5671
value: HIGH

Trust: 1.0

NVD: CVE-2016-5671
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201608-008
value: MEDIUM

Trust: 0.6

VULHUB: VHN-94490
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-5671
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-94490
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5671
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-94490 // JVNDB: JVNDB-2016-004135 // CNNVD: CNNVD-201608-008 // NVD: CVE-2016-5671

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-94490 // JVNDB: JVNDB-2016-004135 // NVD: CVE-2016-5671

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-008

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201608-008

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-004135

PATCH
title:DM-TXRX-100-STRurl:https://www.crestron.com/downloads/pdf/spec_sheets/commercial_and_residential/dm-txrx-100-str.pdf
Trust: 0.8
title:Resource Libraryurl:http://www.crestron.com/resources/resource-library/firmware
Trust: 0.8
title:Crestron Electronics DM-TXRX-100-STR Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63409
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-004135 // 
            
            
            
            CNNVD: CNNVD-201608-008

EXTERNAL IDS
db:CERT/CCid:VU#974424
Trust: 3.6
db:NVDid:CVE-2016-5671
Trust: 2.8
db:BIDid:92211
Trust: 1.4
db:JVNid:JVNVU93291811
Trust: 0.8
db:JVNDBid:JVNDB-2016-004135
Trust: 0.8
db:CNNVDid:CNNVD-201608-008
Trust: 0.7
db:VULHUBid:VHN-94490
Trust: 0.1
sources:
            
            
            CERT/CC: VU#974424 // 
            
            
            
            VULHUB: VHN-94490 // 
            
            
            
            BID: 92211 // 
            
            
            
            JVNDB: JVNDB-2016-004135 // 
            
            
            
            CNNVD: CNNVD-201608-008 // 
            
            
            
            NVD: CVE-2016-5671

REFERENCES
url:http://www.kb.cert.org/vuls/id/974424
Trust: 2.8
url:https://www.crestron.com/downloads/pdf/spec_sheets/commercial_and_residential/dm-txrx-100-str.pdf
Trust: 1.1
url:http://www.securityfocus.com/bid/92211
Trust: 1.1
url:https://cwe.mitre.org/data/definitions/603.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/425.html
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/306.html
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/321.html
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/255.html
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/352.html
Trust: 0.8
url:https://www.crestron.com/resources/resource-library/firmware
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5671
Trust: 0.8
url:http://jvn.jp/vu/jvnvu93291811/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5671
Trust: 0.8
url:http://www.kb.cert.org/vuls/id/bluu-a9cmty
Trust: 0.8
sources:
            
            
            CERT/CC: VU#974424 // 
            
            
            
            VULHUB: VHN-94490 // 
            
            
            
            BID: 92211 // 
            
            
            
            JVNDB: JVNDB-2016-004135 // 
            
            
            
            CNNVD: CNNVD-201608-008 // 
            
            
            
            NVD: CVE-2016-5671

CREDITS
Carsten Eiram of Risk Based Security
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201608-008

SOURCES
db:CERT/CCid:VU#974424
db:VULHUBid:VHN-94490
db:BIDid:92211
db:JVNDBid:JVNDB-2016-004135
db:CNNVDid:CNNVD-201608-008
db:NVDid:CVE-2016-5671

LAST UPDATE DATE
2025-04-13T23:21:06.826000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#974424date:2016-08-01T00:00:00
db:VULHUBid:VHN-94490date:2016-08-16T00:00:00
db:BIDid:92211date:2016-08-01T00:00:00
db:JVNDBid:JVNDB-2016-004135date:2016-08-05T00:00:00
db:CNNVDid:CNNVD-201608-008date:2016-08-04T00:00:00
db:NVDid:CVE-2016-5671date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#974424date:2016-08-01T00:00:00
db:VULHUBid:VHN-94490date:2016-08-03T00:00:00
db:BIDid:92211date:2016-08-01T00:00:00
db:JVNDBid:JVNDB-2016-004135date:2016-08-05T00:00:00
db:CNNVDid:CNNVD-201608-008date:2016-08-04T00:00:00
db:NVDid:CVE-2016-5671date:2016-08-03T01:59:10.117