CVE-2019-11224: Command Injection Vulnerability in HARMAN AMX MVP5150

This article shows the details of CVE-2019-11224 security vulnerability.

Affected Vendor: AMX by HARMAN
Website: https://www.amx.com/
Affected Software: MVP5150 Firmware
Affected Version: Tested on V2.87.13
Issue Type: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CVE Identifier: CVE-2019-11224
Release Date: 07/May/2019
Discovered by: Harold Zang, Hivint
Status: Published

AMX, a brand under HARMAN Professional Division, is renowned in the business, education, and government sectors. The MVP5150 firmware version 2.87.13 has been identified as vulnerable to an OS command injection attack.

This security vulnerability allows for improper neutralization of special elements that could be used in an OS command, making it possible for remote attackers to execute arbitrary commands.

An attacker with access to the Telnet service of the AMX MVP5150 can inject and execute malicious OS commands. This flaw exposes the system to potential unauthorized access and control, posing significant risks to data integrity and security.

The following steps demonstrate how the command injection can be executed:

  1. Telnet Access:
    • Access the device through Telnet.
  2. Command Injection:
    • Execute the command to confirm injection capability:

      bash

      ping 127.0.0.1;ls
  3. Bypass Disallowed Space Character:
    • Demonstrate bypassing space character restriction:

      bash

      ping 127.0.0.1;HZ=$'\n';ls$hz/bin/

The vendor has informed that this product is obsolete and at this stage there is no product development expected around this product. However if there is any specific customer request for development then it can be considered based on the priority/ requirement.

  • 9/Mar/2019: Vulnerability discovered.
  • 9/Mar/2019: Initial attempt to notify the vendor.
  • 3/Apr/2019: Vendor successfully notified.
  • 7/May/2019: Advisory published.

This CVE highlights the importance of maintaining and updating legacy systems, particularly those that are no longer supported or updated by their vendors.