CVE-2019-11224: Command Injection Vulnerability in HARMAN AMX MVP5150
This article shows the details of CVE-2019-11224 security vulnerability.
Overview
Affected Vendor: AMX by HARMAN
Website: https://www.amx.com/
Affected Software: MVP5150 Firmware
Affected Version: Tested on V2.87.13
Issue Type: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CVE Identifier: CVE-2019-11224
Release Date: 07/May/2019
Discovered by: Harold Zang, Hivint
Status: Published
Summary
AMX, a brand under HARMAN Professional Division, is renowned in the business, education, and government sectors. The MVP5150 firmware version 2.87.13 has been identified as vulnerable to an OS command injection attack.
Description of the Vulnerability
This security vulnerability allows for improper neutralization of special elements that could be used in an OS command, making it possible for remote attackers to execute arbitrary commands.
Impact of the Vulnerability
An attacker with access to the Telnet service of the AMX MVP5150 can inject and execute malicious OS commands. This flaw exposes the system to potential unauthorized access and control, posing significant risks to data integrity and security.
Proof of Concept
The following steps demonstrate how the command injection can be executed:
- Telnet Access:
- Access the device through Telnet.
- Command Injection:
- Execute the command to confirm injection capability:
ping 127.0.0.1;ls
- Execute the command to confirm injection capability:
- Bypass Disallowed Space Character:
- Demonstrate bypassing space character restriction:
ping 127.0.0.1;HZ=$'\n';ls$hz/bin/
- Demonstrate bypassing space character restriction:
Proposed Solution
The vendor has informed that this product is obsolete and at this stage there is no product development expected around this product. However if there is any specific customer request for development then it can be considered based on the priority/ requirement.
Response Timeline
- 9/Mar/2019: Vulnerability discovered.
- 9/Mar/2019: Initial attempt to notify the vendor.
- 3/Apr/2019: Vendor successfully notified.
- 7/May/2019: Advisory published.
This CVE highlights the importance of maintaining and updating legacy systems, particularly those that are no longer supported or updated by their vendors.