CVE-2019-3938

Name of the Vulnerable Software and Affected Versions Crestron AM-100 version 1.6.0.2 Crestron AM-101 version 2.7.0.2

Description The issue allows a local attacker to gain access to a device's username and passwords. This is possible because the configuration file, which stores sensitive information such as usernames, passwords, and other configuration options, is encrypted using a hard-coded logic in the awenc binary. As a result, any configuration file can be decrypted using the same binary, potentially leading to unauthorized access.

Recommendations For Crestron AM-100 version 1.6.0.2, consider restricting access to the configuration file and the awenc binary to minimize the risk of exploitation. For Crestron AM-101 version 2.7.0.2, consider restricting access to the configuration file and the awenc binary to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.