Axis flaws

Axis Communications AB, a Swedish manufacturer of network cameras for physical security and video surveillance, has patched seven security flaws across nearly 400 security camera models.

The vulnerabilities came to light following an analysis of Axis firmware by VDOO, a cyber-security firm. VDOO experts analyzed the vendor's firmware as part of an internal initiative focused on the security of IP cameras, named Project Vizavis.

The seven vulnerabilities discovered by VDOO experts include the following:

CVE-2018-10658 - Crashing the /bin/ssid process
CVE-2018-10659 - Crashing of the /bin/ssid process
CVE-2018-10660 - Shell command injection vulnerability
CVE-2018-10661 - Authorization bypass vulnerability
CVE-2018-10662 - Unrestricted dbus access for users of the .srv functionality
CVE-2018-10663 - Information Leakage vulnerability in the /bin/ssid process
CVE-2018-10664 - Crashing the httpd process

PoCs and patches available

VDOO published a technical report today detailing each flaw in depth, along with proof-of-concept code to reproduce the behavior in older Axis firmware.

Experts notified the vendor about these flaws, and the Swedish company released firmware updates. The company published the following PDF document that lists all the affected camera models, along with the firmware version number that includes the fixes, and a link where to get the updated firmware.

To exploit the flaws, an attacker would need to know a camera's IP address, but this isn't an issue nowadays when most botnets scan the entire IPv4 address space looking for vulnerable devices.

The vulnerabilities are not overly dangerous when taken one by one, but VDOO says that by chaining three of them —CVE-2018-10660, CVE-2018-10661, and CVE-2018-10662— an attacker would be able to take over vulnerable devices without knowing their credentials.

VDOO says that an attacker who has gained control over a camera can perform various actions including, but not limited to:

⊡  Access to camera’s video stream
⊡  Freeze the camera’s video stream
⊡  Control the camera – move the lens to a desired point, turn motion detection on/off
⊡  Add the camera to a botnet
⊡  Alter the camera’s software
⊡  Use the camera as an infiltration point for network (performing lateral movement)
⊡  Render the camera useless
⊡  Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)

No exploitation detected (yet)

Security researchers said they have not detected or are not aware of any attempts to exploit these flaws at the time of publishing. Taking into account recent events, botnets will be quick to jump on these bugs and add them to their arsenal.

Device owners are advised to install the patched firmware as soon as possible. Other mitigation advice is included in VDOO's technical report on the matter.

Previously in Project Vizavis, VDOO experts revealed several security flaws in the firmware of Foscam IP cameras.

Related Articles:

Vulnerabilities in Fax Protocol Let Hackers Infiltrate Networks via Fax Machines

Flaws in Diqee 360 Smart Vacuums Let Hackers Spy on Their Owners

Half a Billion IoT Devices Vulnerable to DNS Rebinding Attacks

Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine

Someone Is Taking Over Insecure Cameras and Spying on Device Owners