CVE-2018-11228
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected Crestron touchscreen devices via a Bash shell service in the Crestron Toolbox Protocol. Organizations using Crestron TSW series devices in building automation, conference rooms, or control systems are affected. The CVSS 9.8 score indicates critical severity.
💻 Affected Systems
- Crestron TSW-1060
- TSW-760
- TSW-560
- TSW-1060-NC
- TSW-760-NC
- TSW-560-NC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of device leading to lateral movement into corporate networks, data exfiltration, or disruption of building automation systems.
Likely Case
Unauthenticated attackers gain shell access to install malware, pivot to other systems, or disrupt device functionality.
If Mitigated
Isolated devices with network segmentation prevent exploitation and limit impact to local system only.
🎯 Exploit Status
Exploitation requires network access to port 41794/TCP (CTP) and knowledge of the protocol. Public exploit code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.001.0037.001
Vendor Advisory: https://support.crestron.com/app/answers/answer_view/a_id/5471
Restart Required: Yes
Instructions:
1. Download firmware 2.001.0037.001 from Crestron support portal. 2. Upload firmware to device via web interface or Toolbox. 3. Apply update and restart device.
🔧 Temporary Workarounds
Disable CTP Service
allDisable Crestron Toolbox Protocol service to prevent exploitation.
Access device web interface > Settings > Network > Services > Disable CTP
Network Segmentation
allIsolate Crestron devices on separate VLAN with strict firewall rules.
🧯 If You Can't Patch
- Segment network: Place Crestron devices on isolated VLAN with no internet access.
- Implement strict firewall rules: Block port 41794/TCP from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface: Settings > About. If version is below 2.001.0037.001, device is vulnerable.Check Version:
curl -s http://<device_ip>/cgi-bin/version.cgi | grep FirmwareVerify Fix Applied:
Confirm firmware version is 2.001.0037.001 or higher. Test CTP service with nmap: nmap -p 41794 <device_ip> should show filtered/closed if workaround applied.📡 Detection & Monitoring
Log Indicators:
- Unusual connections to port 41794
- Bash shell spawn events in system logs
- Unauthorized configuration changes
Network Indicators:
- Unexpected traffic to/from port 41794/TCP
- CTP protocol anomalies
- Shell reverse connections from device
SIEM Query:
source_port:41794 OR dest_port:41794 OR process:bash AND device_type:crestron🔗 References
- http://www.securityfocus.com/bid/105051
- https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01
- https://support.crestron.com/app/answers/answer_view/a_id/5471/~/the-latest-details-from-crestron-on-security-and-safety-on-the-internet
- http://www.securityfocus.com/bid/105051
- https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01
- https://support.crestron.com/app/answers/answer_view/a_id/5471/~/the-latest-details-from-crestron-on-security-and-safety-on-the-internet
