CVE-2019-3935

Vulnerability

The Crestron AM-100 (firmware 1.6.0.2) and AM-101 (firmware 2.7.0.2) contain a vulnerability in the conference.cgi endpoint. An attacker can send crafted HTTP POST requests to act as a moderator, allowing control over active slideshows [1]. The vulnerability is accessible without authentication or special configuration, making the code path reachable by any network entity that can reach the device's web interface.

Exploitation

A remote, unauthenticated attacker can exploit this vulnerability by sending specifically crafted HTTP POST requests to the conference.cgi endpoint. The attacker does not need any prior authentication, network position beyond reachability, or user interaction. By sending these requests, the attacker can issue moderator-level commands such as start, stop, and disconnect slideshows [1].

Impact

Successful exploitation enables an attacker to start, stop, and disconnect active slideshows on the affected Crestron devices. This constitutes a loss of availability for presentation functionality and may disrupt scheduled or ongoing presentations. The attacker does not gain code execution or access to other device functions, but the control over slideshows can cause operational disruption in meeting or conference room environments [1].

Mitigation

Crestron has not released a firmware update for the AM-100 or AM-101 to address this vulnerability as of the publication date. Users are advised to restrict network access to the affected devices, placing them behind firewalls or in segmented networks, and to disable or restrict access to the conference.cgi endpoint if feasible [1]. No workaround is explicitly provided in the reference.