Axis Communications AB, a Swedish manufacturer of network cameras for physical security and video surveillance, has patched seven security flaws across nearly 400 security camera models.
The vulnerabilities came to light following an analysis of Axis firmware by VDOO, a cyber-security firm. VDOO experts analyzed the vendor's firmware as part of an internal initiative focused on the security of IP cameras, named Project Vizavis.
The seven vulnerabilities discovered by VDOO experts include the following:
VDOO published a technical report today detailing each flaw in depth, along with proof-of-concept code to reproduce the behavior in older Axis firmware.
Experts notified the vendor about these flaws, and the Swedish company released firmware updates. The company published the following PDF document that lists all the affected camera models, along with the firmware version number that includes the fixes, and a link where to get the updated firmware.
To exploit the flaws, an attacker would need to know a camera's IP address, but this isn't an issue nowadays when most botnets scan the entire IPv4 address space looking for vulnerable devices.
The vulnerabilities are not overly dangerous when taken one by one, but VDOO says that by chaining three of them —CVE-2018-10660, CVE-2018-10661, and CVE-2018-10662— an attacker would be able to take over vulnerable devices without knowing their credentials.
VDOO says that an attacker who has gained control over a camera can perform various actions including, but not limited to:
Security researchers said they have not detected or are not aware of any attempts to exploit these flaws at the time of publishing. Taking into account recent events, botnets will be quick to jump on these bugs and add them to their arsenal.
Device owners are advised to install the patched firmware as soon as possible. Other mitigation advice is included in VDOO's technical report on the matter.
Previously in Project Vizavis, VDOO experts revealed several security flaws in the firmware of Foscam IP cameras.