Vulnerability identifier: #VU15687
Vulnerability risk: Medium
CVSSv3.1: 8.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-120
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Yi Home Camera
Hardware solutions /
Firmware
Vendor: YI Technology
Description
The vulnerability allows an adjacent attacker to execute arbitrary code on the target system.
The vulnerability exists due to buffer overflow during insufficient sanitization of user-supplied data. An adjacent attacker can intercept and alter network traffic, trigger firmware downgrade in the time syncing functionality and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
Update to the latest version.
Vulnerable software versions
Yi Home Camera: 27US 1.8.7.0D
External links
http://talosintelligence.com/vulnerability_reports/TALOS-2018-0567
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.