Critical Flaws Expose 400 Axis Cameras to Remote Attacks
18.6.18 securityweek Vulnerebility
Roughly 400 security cameras from Axis Communications are affected by several vulnerabilities, including critical flaws that can be chained to take complete control of a device and access its video stream.
As part of its research into IoT devices, cybersecurity firm VDOO has uncovered a total of seven vulnerabilities in cameras made by Axis. The vendor has identified nearly 400 affected models and released patches for each of them.
According to VDOO, an attacker who knows the targeted camera’s IP address can remotely and without authentication take full control of the device. This includes accessing its video stream, freezing the video stream, controlling the direction and functions of the camera (e.g. motion detection), adding the device to a botnet, altering its software, leveraging it for lateral movement within the network, abusing it for DDoS attacks and cryptocurrency mining, and rending the camera useless.Critical vulnerabilities found in Axis cameras
There are three vulnerabilities that can be chained to remotely hack a device. These allow an attacker to bypass authentication (CVE-18-10661), send specially crafted requests as root (CVE-18-10662), and inject arbitrary shell commands (CVE-18-10660).
The other flaws discovered by VDOO can be exploited by unauthenticated attackers to crash various processes or to obtain information from the memory.
Technical details and proof-of-concept (PoC) code have been made public for each of the vulnerabilities.
Axis has published an advisory containing the names of all impacted cameras and which firmware version contains patches.
This was not the first time researchers discovered vulnerabilities in cameras from Axis. Roughly one year ago, Senrio found a security hole, dubbed Devil’s Ivy, that allowed an attacker to cause a DoS condition or execute arbitrary code on Axis cameras. Since that flaw affected a third-party component, other IoT devices were affected as well.
As part of its research into IoT products, VDOO also discovered serious vulnerabilities in Foscam cameras. Foscam also released patches, unlike last year when researchers were forced to disclose multiple flaws after the vendor failed to take action.