SB2018110206 - Multiple vulnerabilities in Yi Home Camera
Published: November 2, 2018 Updated: December 26, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) OS command injection (CVE-ID: CVE-2018-3890)
The vulnerability allows a physical attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to a logic flaw during insufficient sanitization of user-supplied data. A physical attacker can insert an SD card to inject arbitrary OS commands and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Logic error (CVE-ID: CVE-2018-3891)
The vulnerability allows a physical attacker to downgrade firmware.
The vulnerability exists due to a logic flaw. A physical attacker can insert an SD card to downgrade firmware.
3) Buffer overflow (CVE-ID: CVE-2018-3892)
The vulnerability allows an adjacent attacker to execute arbitrary code on the target system.
The vulnerability exists due to buffer overflow during insufficient sanitization of user-supplied data. An adjacent attacker can intercept and alter network traffic, trigger firmware downgrade in the time syncing functionality and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
4) Buffer overflow (CVE-ID: CVE-2018-3898)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to buffer overflow in the QR code scanning functionality during insufficient sanitization of user-supplied data. A remote attacker can trick the victim into displaying and scanning QR code from the internet to their camera, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
5) Buffer overflow (CVE-ID: CVE-2018-3899)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to buffer overflow in the QR code scanning functionality during insufficient sanitization of user-supplied data. A remote attacker can trick the victim into displaying and scanning QR code from the internet to their camera, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
6) Stack-based buffer overflow (CVE-ID: CVE-2018-3900)
The vulnerability allows a remote high-privileged attacker to execute arbitrary code on the target system.
The vulnerability exists due to stack-based buffer overflow in the QR code scanning functionality during insufficient sanitization of user-supplied data. A remote attacker can trick the victim into displaying and scanning QR code from the internet to their camera, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
7) OS command injection (CVE-ID: CVE-2018-3910)
The vulnerability allows an adjacent attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to a flaw in in the cloud OTA setup functionality during insufficient sanitization of user-supplied data. An adjacent attacker can trick the victim into connecting their camera to this SSID to inject arbitrary OS commands and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
8) Improper input validation (CVE-ID: CVE-2018-3928)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to a flaw in the firmware update functionality during insufficient sanitization of user-supplied data. A remote attacker can send a set of UDP packets, trigger a settings change and cause the service to crash.
9) Authorization bypass (CVE-ID: CVE-2018-3934)
The vulnerability allows a remote attacker to bypass authentication on the target system.
The vulnerability exists due to a logic flaw in the firmware update functionality during insufficient sanitization of user-supplied data. A remote attacker can sniff network traffic and send a set of UDP packets to bypass authentication and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
10) Information disclosure (CVE-ID: CVE-2018-3947)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to a flaw in the phone-to-camera communications. A remote attacker can sniff network traffic and access arbitrary data.
11) Improper input validation (CVE-ID: CVE-2018-3935)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to a flaw in the UDP network functionality during insufficient sanitization of user-supplied data. A remote attacker can send a set of UDP packets, allocate unlimited memory and cause the service to crash.
12) Improper input validation (CVE-ID: CVE-2018-3920)
The vulnerability allows a physical attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error in the firmware update functionality during insufficient sanitization of user-supplied data. A physical attacker can insert an SDcard containing 7-Zip file, trigger a CRC collision and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.
References
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0565
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0566
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0567
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0571
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0572
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0580
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0595
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0601
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0616
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0602
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0584