Axis Communications has firmware patches to mitigate critical vulnerabilities in its security cameras, researchers said.
The vulnerabilities can end up linked together to the point where attackers could take control of a device and access its video stream, said researchers at VDOO.
There are seven vulnerabilities in 390 Axis camera models. The security firm found the holes while conducting research into Internet of Things (IoT) devices.
An attacker that knows the targeted camera’s IP address can remotely and without authentication take full control of the device, VDOO researchers said.
Chaining three of the reported vulnerabilities together, allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera. An attacker with such control could do the following:
• Access to camera’s video stream
• Freeze the camera’s video stream
• Control the camera – move the lens to a desired point, turn motion detection on/off
• Add the camera to a botnet
• Alter the camera’s software
• Use the camera as an infiltration point for network (performing lateral movement)
• Render the camera useless
• Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)
There are three vulnerabilities that can end up linked to remotely hack a device. These allow an attacker to bypass authentication (CVE-2018-10661), send specially crafted requests as root (CVE-2018-10662), and inject arbitrary shell commands (CVE-2018-10660).
The other flaws discovered by VDOO can end up exploited by unauthenticated attackers to crash various processes or to obtain information from the memory.
Technical details and proof-of-concept (PoC) code have been made public for each of the vulnerabilities.
Axis has published an advisory containing the names of all impacted cameras and which firmware version contains patches.
“To the best of our knowledge, these vulnerabilities were not exploited in the field,” researchers said.