Multiple vulnerabilities in Axis Communications video cameras
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2018-10661 CVE-2018-10662 CVE-2018-10660 CVE-2018-10664 CVE-2018-10663 CVE-2018-10658 CVE-2018-10659 |
| CWE-ID | CWE-862 CWE-264 CWE-78 CWE-20 CWE-200 CWE-476 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. |
| Vulnerable software Subscribe |
Axis Communications video cameras Hardware solutions / Firmware |
| Vendor | Axis Communications |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Authorization bypass
EUVDB-ID: #VU13384
Risk: Low
CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2018-10661
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in mod_authz_axisgroupfile.so: a custom authorization module for Apache httpd that was written by the vendor due to insufficient validation of user-supplied input. A remote attacker can send unauthenticated requests to a world-readable file that are followed by a backslash and end with the .srv extension that are treated by the authorization code as standard requests to the index.html and thus granted access and bypass the web-server’s authorization mechanism.
MitigationInstall update from vendor's website.
Vulnerable software versionsAxis Communications video cameras: All versions
External linkshttp://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
2) Privilege escalation
EUVDB-ID: #VU13385
Risk: Low
CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2018-10662
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to the authorization mechanism that is intended to limit requests, PolicyKit, is configured to automatically grant access to requests originating from the root user. A remote attacker can use legitimate requests that reach /bin/ssid’s .srv functionality, choose one of several actions by setting the action parameter in the request’s query-string and invoke any dbus request as root (the uid and gid of the /bin/ssid process), without any restriction on the destination or content.
MitigationInstall update from vendor's website.
Vulnerable software versionsAxis Communications video cameras: All versions
External linkshttp://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
3) OS command execution
EUVDB-ID: #VU13386
Risk: High
CVSSv3.1: 9.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2018-10660
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The weakness exists due to the parhand parameter handler is responsible for fetching, storing, and changing many of the device’s internal parameters. A remote attacker can set a parameter through the web interface, cause the relevant CGI script (param.cgi) to forward the set-parameter request to the parhand binary, which checks access-rights, and stores the parameter’s value in the relevant configuration file and execute arbitrary shell commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
MitigationInstall update from vendor's website.
Vulnerable software versionsAxis Communications video cameras: All versions
External linkshttp://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
4) Improper input validation
EUVDB-ID: #VU13387
Risk: Low
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-10664
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can issue an HTTP request to a .cgi script URL, with a PATH_INFO that ends with the .srv extension, crash the httpd process and cause (at least) a black screen for viewers that were already logged to the camera using the web interface with default settings.
MitigationInstall update from vendor's website.
Vulnerable software versionsAxis Communications video cameras: All versions
External linkshttp://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Information disclosure
EUVDB-ID: #VU13388
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-10663
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the ‘return_page’ and ‘servermanager_return_page’ query-string parameters in /bin/ssid’s .srv functionality are controlled by the user, and returned back to her in the response to the user’s request.. A remote attacker can make the calculated content-length larger than the actual data buffer, and as a result – extra bytes from memory are leaked in the response.
MitigationInstall update from vendor's website.
Vulnerable software versionsAxis Communications video cameras: All versions
External linkshttp://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Null pointer dereference
EUVDB-ID: #VU13389
Risk: Low
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-10658
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to NULL pointer dereference when handling user-supplied input. A remote attacker can send (by /bin/ssid .srv interface) dbus-request with a specially crafted string to crash the ssid service.
MitigationInstall update from vendor's website.
Vulnerable software versionsAxis Communications video cameras: All versions
External linkshttp://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Improper input validation
EUVDB-ID: #VU13390
Risk: Low
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-10659
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a code path that calls the UNDundefined ARM instruction (and possibly a similar scenario in MIPS or other architecture’s’ cameras) that. A remote attacker can send (by /bin/ssid .srv interface) a specially crafted command and cause the /bin/ssid process to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsAxis Communications video cameras: All versions
External linkshttp://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
