IP cameras

Chinese firm Foscam has published firmware updates to address three vulnerabilities in multiple models of IP-based cameras. The flaws, when exploited, allow an attacker to take control of vulnerable cameras, and especially those left connected online via a public IP address.

These vulnerabilities have been discovered in the past month by security researchers from VDOO, a company specialized in IoT security.

VDOO says the three vulnerabilities are CVE-2018-6830, CVE-2018-6831, and CVE-2018-6832, and that an attacker can chain the three together in the following way to take over Foscam cameras.

Step 1: An adversary must first obtain the camera’s IP address or DNS name. It can be achieved in several ways, including:
    (1) If the camera and the network are configured by the user such that the camera has direct interface to the internet, its address might be revealed by some internet scanners.
    (2) If the adversary gained unauthorized (remote or local) access to a network to which the camera is connected, he might be able to find the local address of the camera.
    (3) If dynamic DNS is enabled by the user, the adversary might find a way to resolve the device name

Step 2: The adversary then uses CVE-2018-6830, an arbitrary file deletion vulnerability, to delete certain critical files that will result in authentication bypass when the webService process reloads.

Step 3: The adversary crashes the webService process by exploiting CVE-2018-6832, a stack-based buffer overflow vulnerability in the webService process. After it crashes, the webService process is automatically restarted by the watchdog daemon, and during the process reload, the changes from step 2 take effect. The adversary is now able to gain administrative credentials.

Step 4: The adversary executes root commands by exploiting CVE-2018-6831. This is a shell command injection vulnerability that requires administrator credentials. Since the adversary gained administrator credentials in the previous stage, he can now use this vulnerability to execute commands as the root user for privilege escalation.

VDOO experts claim the security bugs occurred because of multiple reasons, such as (1) device processes running as root; (2) using external processes (shell commands) for trivial tasks instead of using programming APIs and libraries; (3) bad input sanitization; and (4) use of weak encryption to protect the device's firmware from external analysis.

Foscam starts acting like a responsible company

The good news is that Foscam responded positively to the VDOO report, and issued firmware updates to address the flaws in its products, even thanking VDOO for their work.

This is a major change of attitude from a company that last year ignored reports of 18 security bugs discovered by F-Secure researchers.

VDOO researchers said they have not seen any botnet or threat actor exploiting the reported issues before the publication of their report. Nonetheless, this will no doubt change, as botnet herders are known to be quick to weaponize IoT vulnerabilities to their advantage.

Unknown number of white-labeled cameras affected

VDOO has published a technical write-up containing more information about each of the three vulnerabilities, including proof-of-concept code to reproduce the bug.

The VDOO write-up also contains the following table with the affected Foscam camera models and the firmware version that contains fixes for the reported issues. Instructions on how to update Foscam camera firmware are available here. Users are advised to update as soon as possible.

Besides the camera models listed in the table below, camera models from other vendors are also affected. This is because Foscam is one of the biggest sellers of white-label IP cameras that other vendors buy and put their logo on top, without customers knowing they're actually running a Foscam device. Unfortunately, this information is impossible to track down, and users are left at the mercy of the second-hand buyer who is now responsible of taking the Foscam firmware patches and sending it downstream to its own customers.

Camera models Application firmware version
C1 Lite V3 2.82.2.33
C1 V3 2.82.2.33
FI9800P V3 2.84.2.33
FI9803P V4 2.84.2.33
FI9816P V3 2.81.2.33
FI9821EP V2 2.81.2.33
FI9821P V3 2.81.2.33
FI9826P V3 2.81.2.33
FI9831P V3 2.81.2.33
FI9851P V3 2.84.2.33
FI9853EP V2 2.84.2.33
C1 2.52.2.47
C1 V2 2.52.2.47
C1 Lite 2.52.2.47
C1 Lite V2 2.52.2.47
FI9800P 2.54.2.47
FI9800P V2 2.54.2.47
FI9803P V2 2.54.2.47
FI9803P V3 2.54.2.47
FI9815P 2.51.2.47
FI9815P V2 2.51.2.47
FI9816P 2.51.2.47
FI9816P V2 2.51.2.47
FI9851P V2 2.54.2.47
R2 2.71.1.59
C2 2.72.1.59
R4 2.71.1.59
FI9900EP 2.74.1.59
FI9900P 2.74.1.59
FI9901EP 2.74.1.59
FI9961EP 2.72.1.59
FI9928P 2.74.1.58
FI9803EP 2.22.2.31
FI9803P 2.24.2.31
FI9853EP 2.22.2.31
FI9851P 2.24.2.31
FI9821P V2 2.21.2.31
FI9826P V2 2.21.2.31
FI9831P V2 2.21.2.31
FI9821EP 2.21.2.31
FI9821W V2 2.11.1.120
FI9818W V2 2.13.2.120
FI9831W 2.11.1.120
FI9826W 2.11.1.120
FI9821P 2.11.1.120
FI9831P 2.11.1.120
FI9826P 2.11.1.120
FI9805W 2.14.1.120
FI9804W 2.14.1.120
FI9804P 2.14.1.120
FI9805E 2.14.1.120
FI9805P 2.14.1.120
FI9828P 2.13.1.120
FI9828W 2.13.1.120
FI9828P V2 2.11.1.133

Related Articles:

Bushido-Powered DDoS Service Whipped Up from Leaked Code

Microsoft December 2018 Patch Tuesday Fixes Actively Used Zero-Day Vulnerability

Botnet of 20,000 WordPress Sites Infecting Other WordPress Sites

Apple Fixes Passcode Bypass, RCE Vulnerabilities, and More in Today's Updates.

Adobe Flash Player Update Released for Remote Code Execution Vulnerability