CVE-2019-11224: Command Injection Vulnerability in HARMAN AMX MVP5150

SpZ included in categories CVE Security Security Advisory

06-05-2019 06-05-2019 286 words 2 minutes

CVE-2019-11224 Injection dangerous command into HARMAN AMX

Contents

This article shows the details of CVE-2019-11224 security vulnerability.

Overview

Affected Vendor: AMX by HARMAN
Website: https://www.amx.com/
Affected Software: MVP5150 Firmware
Affected Version: Tested on V2.87.13
Issue Type: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CVE Identifier: CVE-2019-11224
Release Date: 07/May/2019
Discovered by: Harold Zang, Hivint
Status: Published

Summary

AMX, a brand under HARMAN Professional Division, is renowned in the business, education, and government sectors. The MVP5150 firmware version 2.87.13 has been identified as vulnerable to an OS command injection attack.

Description of the Vulnerability

This security vulnerability allows for improper neutralization of special elements that could be used in an OS command, making it possible for remote attackers to execute arbitrary commands.

Impact of the Vulnerability

An attacker with access to the Telnet service of the AMX MVP5150 can inject and execute malicious OS commands. This flaw exposes the system to potential unauthorized access and control, posing significant risks to data integrity and security.

Proof of Concept

The following steps demonstrate how the command injection can be executed:

Telnet Access:
- Access the device through Telnet.
Command Injection:
- Execute the command to confirm injection capability:
  1
  
  ping 127.0.0.1;ls
Bypass Disallowed Space Character:
- Demonstrate bypassing space character restriction:
  1
  
  ping 127.0.0.1;HZ=$'\n';ls$hz/bin/

Proposed Solution

The vendor has informed that this product is obsolete and at this stage there is no product development expected around this product. However if there is any specific customer request for development then it can be considered based on the priority/ requirement.

Response Timeline

9/Mar/2019: Vulnerability discovered.
9/Mar/2019: Initial attempt to notify the vendor.
3/Apr/2019: Vendor successfully notified.
7/May/2019: Advisory published.

This CVE highlights the importance of maintaining and updating legacy systems, particularly those that are no longer supported or updated by their vendors.