CVE-2019-3939 – CVE-2019-3939 allows unauthenticated remote att... (How to Fix)

Q: What is the severity of CVE-2019-3939?

CVE-2019-3939 has a CVSS score of 9.8 (CRITICAL). CVE-2019-3939 allows unauthenticated remote attackers to gain privileged access to Crestron AM-100 and AM-101 devices using default credentials. This affects organizations using these devices with vulnerable firmware versions. Attackers can fully compromise the devices and potentially pivot to internal networks.

📋 TL;DR

CVE-2019-3939 allows unauthenticated remote attackers to gain privileged access to Crestron AM-100 and AM-101 devices using default credentials. This affects organizations using these devices with vulnerable firmware versions. Attackers can fully compromise the devices and potentially pivot to internal networks.

💻 Affected Systems

Products:

Crestron AM-100
Crestron AM-101

Versions: AM-100 firmware 1.6.0.2, AM-101 firmware 2.7.0.2

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices ship with default credentials that users may not change.

📦 What is this software?

Am 100 Firmware by Crestron

View all CVEs affecting Am 100 Firmware →

Am 101 Firmware by Crestron

View all CVEs affecting Am 101 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network pivoting, data exfiltration, or use as attack launch point against internal systems.

🟠

Likely Case

Unauthorized access to device configuration, potential firmware modification, and surveillance of connected systems.

🟢

If Mitigated

Limited to failed authentication attempts if credentials are changed and access controls are implemented.

🌐 Internet-Facing: HIGH - Devices exposed to internet can be directly compromised without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple credential-based attack requiring only web browser or HTTP client.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest firmware from Crestron

Vendor Advisory: https://www.crestron.com/Security/Security_Advisories

Restart Required: Yes

Instructions:

1. Download latest firmware from Crestron support portal. 2. Upload firmware via web interface. 3. Reboot device after installation.

🔧 Temporary Workarounds

Change Default Credentials

all

Immediately change admin and moderator account passwords to strong, unique values.

Network Segmentation

all

Place devices in isolated VLAN with restricted access to management interfaces.

🧯 If You Can't Patch

Change all default credentials immediately
Restrict network access to management interfaces using firewall rules

🔍 How to Verify

Check if Vulnerable:

Attempt to login to web interface using admin/admin or moderator/moderator credentials.

Check Version:

Check firmware version in device web interface under System Information.

Verify Fix Applied:

Verify login fails with default credentials and device runs updated firmware version.

📡 Detection & Monitoring

Log Indicators:

Successful authentication with default credentials
Multiple failed login attempts followed by success

Network Indicators:

HTTP POST requests to login endpoints with default credentials
Unusual administrative access from unexpected IPs

SIEM Query:

source="crestron_am" AND (event="login_success" AND (user="admin" OR user="moderator"))

📊 Metadata

CVE ID: CVE-2019-3939

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-16

Published: April 30, 2019

Last Updated: November 21, 2024

🔗 References

https://www.tenable.com/security/research/tra-2019-20 Third Party Advisory
https://www.tenable.com/security/research/tra-2019-20 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-3939, you might also want to check these: