Geutebrück patched an authentication bypass and improper neutralization of special elements vulnerabilities in its G-Cam IP camera, according to a report with ICS-CERT.
The G-Cam/EFD-2250 Version 126.96.36.199 suffers from the remotely exploitable vulnerability. Florent Montel and Frédéric Cikala discovered the authentication bypass vulnerability and Davy Douhine of RandoriSec found the improper access control vulnerability.
Successful exploitation of these vulnerabilities could allow the attacker to bypass authentication and obtain remote anonymous access to the device; these vulnerabilities may allow remote code execution.
Windhagen, Germany-based Geutebrück also has offices in Europe, the United States and Australia.
The product sees action mainly in the commercial facilities, energy and healthcare and public health sectors.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could exploit the vulnerabilities.
In one vulnerability, there is an authentication bypass vulnerability where the existing file system architecture could allow attackers to bypass the access control that may allow remote code execution.
CVE-2017-5174 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In another issue, there is an improper neutralization of special elements vulnerability. In this case, if special elements do not end up properly neutralized, an attacker can call multiple parameters that can allow access to the root level operating system which could allow remote code execution.
CVE-2017-5173 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Geutebrück recommends customers download and update with the newest patch from this location by registering for a new web club account or logging into an existing account.