CVE-2016-5666

Vulnerability

Crestron Electronics DM-TXRX-100-STR streaming encoder/decoder devices running firmware before version 1.3039.00040 contain an authentication bypass vulnerability (CVE-2016-5666). The web management interface relies on client-side JavaScript to authenticate users to the index.html page. By intercepting the server response and ensuring objresp.authenabled == '1', an attacker can bypass authentication entirely, without needing valid credentials [1].

Exploitation

An attacker with network access to the device's web interface can directly modify the objresp.authenabled value to 1 in the client-side response, thereby gaining access to the administrative interface. No authentication, user interaction, or prior knowledge of credentials is required [1]. Additionally, other related vulnerabilities (such as forced browsing and missing authentication for API functions) further lower the barrier to exploitation.

Impact

Successful exploitation grants an attacker full administrative access to the device's web management interface. This allows them to modify device configuration, potentially disrupt AV signal distribution, and leverage the compromised device for further network attacks. The device also uses default credentials (admin:admin) and a hard-coded X.509 certificate, compounding the risk of unauthorized control and man-in-the-middle attacks [1].

Mitigation

Crestron released firmware version 1.3039.00040 to address these vulnerabilities; users should update immediately. No workarounds are described in the available reference [1]. Affected devices may be at risk if left unpatched, and organizations should inventory and update all Crestron DM-TXRX-100-STR units in their environment.