CVE-2019-3929
Published: 30 April 2019
Summary
CVE-2019-3929 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Crestron Am-100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The CVE-2019-3929 vulnerability is an OS command injection flaw present in the file_transfer.cgi HTTP endpoint of multiple wireless presentation and collaboration devices. Affected products include Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7. The issue is tracked under CWE-78 and CWE-79 and carries a CVSS 3.1 score of 9.8.
A remote unauthenticated attacker can send crafted HTTP requests to the endpoint and execute arbitrary operating system commands with root privileges, resulting in full device compromise without any user interaction or authentication.
Public exploit code demonstrating unauthenticated remote command injection against Barco, AWIND OEM, and related platforms has been published via Packet Storm, Exploit-DB, and Tenable research disclosures.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-13536
Vulnerability details
The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox…
more
HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
- CWE(s)
- KEV Date Added
- 15 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks OS command injection in file_transfer.cgi by validating all HTTP input parameters before they reach the shell.
Enforces access-control policy on the CGI endpoint so that unauthenticated remote requests cannot invoke privileged commands.
Requires successful identification and authentication before any user or process can reach the vulnerable file_transfer.cgi functionality.