Analysts at VDOO, who revealed the vulnerabilities, suggested that clients update firmwares instantly in the wake of finding that in more than 400 Axis IP cameras are affected.
Axis produces various cameras, including those for the hotels, industrial and other industries.
The bugs have not yet been abused in the open, the specialists stated, however up to seven vulnerabilities exist – three of which can be misused in a particular arrangement to empower an attacker to remotely execute shell commands.
“Chaining three of the reported vulnerabilities together allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera,” researchers explained in a post.
Through a proof-of-concept (PoC) attack, experts found that an authorization weakness (CVE-2018-10661) exists inside the usefulness of the camera that sends request for data files finishing with specific augmentations (.srv) to the/container/ssid process.
This security vulnerability enables hackers to send unauthenticated HTTP requests that reach the .srv range of capabilities. This methodology handles .srv requests and does not require login credentials (regularly, this should just be accessible to administrators).
Three more vulnerabilities were found that were not a part of the attack; a bug that allows attackrs to crash the httpd process (CVE-2018-10664), an information leak in the /bin/ssid process (CVE-2018-10663); and two other that can cause the /bin/ssid process to crash (CVE-2018-10658 and CVE-2018-10659 vulnerabilities).
VDOO experts noted many of vulnerabilities that are indications to issues that many IoT vendors face:lack of privilege separation, lack of input sanitization and lack of binary encryption of firmwares.
