CVE-2018-10630 : For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.

For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.502.0047.001, The devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. When compromised, the access to the CTP console is left open.

Published 2018-08-10 19:29:00

Updated 2019-10-09 23:32:57

Source ICS-CERT

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2018-10630

Crestron » Tsw-x60 Firmware
Versions before (<) 2.001.0037.001
cpe:2.3:o:crestron:tsw-x60_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Crestron » Tsw-1060-b-s » Version: N/A
When used together with: Crestron » Tsw-1060-nc-b-s » Version: N/A
When used together with: Crestron » Tsw-1060-nc-w-s » Version: N/A
When used together with: Crestron » Tsw-1060-w-s » Version: N/A
When used together with: Crestron » Tsw-560-b-s » Version: N/A
When used together with: Crestron » Tsw-560-nc-b-s » Version: N/A
When used together with: Crestron » Tsw-560-nc-w-s » Version: N/A
When used together with: Crestron » Tsw-560-w-s » Version: N/A
When used together with: Crestron » Tsw-760-b-s » Version: N/A
When used together with: Crestron » Tsw-760-nc-b-s » Version: N/A
When used together with: Crestron » Tsw-760-nc-w-s » Version: N/A
When used together with: Crestron » Tsw-760-w-s » Version: N/A
Crestron » Mc3 Firmware
Versions before (<) 1.502.0047.001
cpe:2.3:o:crestron:mc3_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Crestron » MC3 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2018-10630

EPSS FAQ

0.28%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 49 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-10630

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-10630

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: ics-cert@hq.dhs.gov (Secondary)
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-10630

https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01

Crestron TSW-X60 and MC3 | CISA
Patch;Third Party Advisory;US Government Resource

CVEs referencing this url
http://www.securityfocus.com/bid/105051

Crestron TSW-X60 and MC3 Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-10630

Products affected by CVE-2018-10630

Exploit prediction scoring system (EPSS) score for CVE-2018-10630

CVSS scores for CVE-2018-10630

CWE ids for CVE-2018-10630

References for CVE-2018-10630