Trivum MusicCenter / Trivum Multiroom Setup Tool control.xml Code Execution [CVE-2018-13858]
Trivum MusicCenter / Trivum Multiroom Setup Tool could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the /xml/system/control.xml. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause the device to reboot.
This issue affects an unknown function of the file /xml/system/control.xml. The manipulation of the argument ?action=reboot
as part of a GET Request leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-269. Impacted is confidentiality, integrity, and availability.
CVE number – CVE-2018-13858
Resolution
Upgrade to the latest version of Trivum MusicCenter / Trivum Multiroom Setup Tool (9.34 build 13381 – 12.07.18 or later), available from the Trivum Web site.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.