Crestron Touchscreens x70 Argument Injection Vulnerability Granting Privileged Operating System Access

A vulnerability allowing argument injection has been identified in Crestron Touchscreens x70, specifically in versions 3.001.0031.001 through 3.001.0034.001. This issue arises from improper neutralization of argument delimiters in command processing. A specially crafted SCP command sent via an SSH login string can exploit this vulnerability, allowing a valid administrator user to gain privileged operating system access on the device. The vulnerability also affects several other Crestron products, including the TSW-x60, TST-1080AM-3000/3100/3200, Soundbar VB70HD-PS622/621/402, HD-TXU-RXU-4kZ-211, and HD-MDNXM-4KZ-E.

Impact

Exploitation of this vulnerability could lead to unauthorized privileged access on the affected device's operating system, allowing for potentially unrestricted control over the device.

Remediation

Users are advised to update to the latest firmware version 3.002.0040.001, which addresses this vulnerability. Additional firmware updates will be published as they become available.