#VU16536 OS command injection in Geutebrück E2 Series IP Cameras
Vulnerability identifier: #VU16536
Vulnerability risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-78
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Geutebrück E2 Series IP Cameras
Hardware solutions /
Office equipment, IP-phones, print servers
Vendor: GEUTEBRÜCK GmbH
Description
The vulnerability allows a remote high-privileged attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to OS system command injection in the DDNS configuration (in the Network Configuration panel). A remote attacker can supply a specially crafted input to inject and execute arbitrary shell commands with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Mitigation
Update to version 1.12.0.25.
Vulnerable software versions
Geutebrück E2 Series IP Cameras: All versions
External links
http://ics-cert.us-cert.gov/advisories/ICSA-18-347-03
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
