SB2018061902 - Multiple vulnerabilities in Axis Communications video cameras
Published: June 19, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Authorization bypass (CVE-ID: CVE-2018-10661)
The vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in mod_authz_axisgroupfile.so: a custom authorization module for Apache httpd that was written by the vendor due to insufficient validation of user-supplied input. A remote attacker can send unauthenticated requests to a world-readable file that are followed by a backslash and end with the .srv extension that are treated by the authorization code as standard requests to the index.html and thus granted access and bypass the web-server’s authorization mechanism.
2) Privilege escalation (CVE-ID: CVE-2018-10662)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to the authorization mechanism that is intended to limit requests, PolicyKit, is configured to automatically grant access to requests originating from the root user. A remote attacker can use legitimate requests that reach /bin/ssid’s .srv functionality, choose one of several actions by setting the action parameter in the request’s query-string and invoke any dbus request as root (the uid and gid of the /bin/ssid process), without any restriction on the destination or content.
3) OS command execution (CVE-ID: CVE-2018-10660)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The weakness exists due to the parhand parameter handler is responsible for fetching, storing, and changing many of the device’s internal parameters. A remote attacker can set a parameter through the web interface, cause the relevant CGI script (param.cgi) to forward the set-parameter request to the parhand binary, which checks access-rights, and stores the parameter’s value in the relevant configuration file and execute arbitrary shell commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
4) Improper input validation (CVE-ID: CVE-2018-10664)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can issue an HTTP request to a .cgi script URL, with a PATH_INFO that ends with the .srv extension, crash the httpd process and cause (at least) a black screen for viewers that were already logged to the camera using the web interface with default settings.
5) Information disclosure (CVE-ID: CVE-2018-10663)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the ‘return_page’ and ‘servermanager_return_page’ query-string parameters in /bin/ssid’s .srv functionality are controlled by the user, and returned back to her in the response to the user’s request.. A remote attacker can make the calculated content-length larger than the actual data buffer, and as a result – extra bytes from memory are leaked in the response.
6) Null pointer dereference (CVE-ID: CVE-2018-10658)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to NULL pointer dereference when handling user-supplied input. A remote attacker can send (by /bin/ssid .srv interface) dbus-request with a specially crafted string to crash the ssid service.
7) Improper input validation (CVE-ID: CVE-2018-10659)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a code path that calls the UNDundefined ARM instruction (and possibly a similar scenario in MIPS or other architecture’s’ cameras) that. A remote attacker can send (by /bin/ssid .srv interface) a specially crafted command and cause the /bin/ssid process to crash.
Remediation
Install update from vendor's website.