CVE-2019-11224 Injection dangerous command into HARMAN AMX

Injection Dangerous Command into HARMAN AMX

Affected Vendor: AMX – https://www.amx.com/
Affected Software: MVP5150 Firmware
Affected Version: Tested on V2.87.13
Issue type: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Release Date: 07/05/2019
Discovered by: Harold Zang, Hivint
CVE Identifier: CVE-2019-11224
Issue status: Publish

Summary

AMX (www.amx.com) is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company.

Description

HARMAN AMX MVP5150 v2.87.13 devices are vulnerable to OS Command Injection.

Impact

An attacker who is able to login to the AMX MVP5150 via Telnet service is able to inject and execute malicious OS commands.

Proof of concept

1. Login to the device via Telnet.
2. Using the following command, perform a command injection:
ping 127.0.0.1;ls
3. Using the following command, observe it possible to bypass the disallowed space character:
ping 127.0.0.1;HZ=$'\n';ls$hz/bin/

Solution

The vendor has informed that this product is obsolete and at this stage there is no product development expected around this product. However if there is any specific customer request for development then it can be considered based on the priority/ requirement.

Response timeline

09/03/2019 – Found the issue
09/03/2019 – Tried to notify vendor
03/04/2019 – Vendor notified
07/05/2019 – Publish