7 new vulnerabilities discovered in Axis cameras

Reference: CERT.be Advisory #2018-021
Version: 1.0
Affected cameras: 390 different types of cameras (https://www.axis.com/files/sales/ACV-128401_Affected_Product_List.pdf)
CVE: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663 and CVE-2018-10664
CVSS: Unknown at this time
Type: CVE-2018-10658 - Crashing the /bin/ssid process
CVE-2018-10659 - Crashing of the /bin/ssid process
CVE-2018-10660 - Shell command injection vulnerability
CVE-2018-10661 - Authorization bypass vulnerability
CVE-2018-10662 - Unrestricted dbus access for users of the .srv functionality
CVE-2018-10663 - Information Leakage vulnerability in the /bin/ssid process
CVE-2018-10664 - Crashing the httpd process

Sources

https://www.bleepingcomputer.com/news/security/vendor-patches-seven-vuln...
https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilit...
https://www.axis.com/files/sales/ACV-128401_Affected_Product_List.pdf

Risks

By exploiting three of the seven newly discovered vulnerabilities in a specific sequence, an attacker with network access to the camera can remotely execute shell commands with root privileges. This can lead to at least:
• Access to the camera’s video stream
• Freeze the camera’s video stream
• Control the camera – move the lens to the desired point, turn motion detection on/off
• Add the camera to a botnet
• Alter the camera’s software
• Use the camera as an infiltration point into a network (performing lateral movement)
• Render the camera useless
• Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)

Description

A complete POC (proof of concept) article is available on https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilit...

Recommended actions

CERT.be recommends users to always keep their systems up to date. It’s also recommended to segregate your CCTV camera’s from your main network and avoid to connect them to the public Internet.
Axis has released new Firmwares which can be downloaded at:
https://www.axis.com/support/firmware

Linked information

https://www.bleepingcomputer.com/news/security/vendor-patches-seven-vuln...
https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilit...
https://www.axis.com/files/sales/ACV-128401_Affected_Product_List.pdf
https://www.axis.com/support/firmware