Researchers disclose 7 flaws in 390 Axis IP cameras, remote attacker could take control

If you use Axis security cameras, you really need to update the firmware because seven vulnerabilities found in 390 camera models could allow an attacker to remotely take over the camera.

VDOO security researchers have been looking into the security of IoT products dealing with safety and security and finding zero-day vulnerabilities. Earlier this month, VDOO disclosed a critical chain of vulnerabilities in Foscam security cameras. This time around, the researchers disclosed seven vulnerabilities in Axis Communications’ security cameras.

VDOO senior security researcher Or Peles explained that chaining three of the flaws together could allow “an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.”

VDOO warned that an attacker who gained such control of an Axis camera could do the following:

• Access the camera’s video stream
• Freeze the camera’s video stream
• Control the camera – move the lens to a desired point, turn motion detection on/off
• Add the camera to a botnet
• Alter the camera’s software
• Use the camera as an infiltration point for network (performing lateral movement)
• Render the camera useless
• Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)

What are the Axis IP camera vulnerabilities?

There are 390 vulnerable models of Axis IP cameras listed as affected products (pdf).

The seven vulnerabilities are CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663 and CVE-2018-10664. By chaining three – CVE-2018-10661, CVE-2018-10662, and CVE-2018-10660 – an attacker with network access to the camera could remotely execute shell commands with root privileges.

The three flaws chained together are an authorization bypass vulnerability (CVE-2018-10661), CVE-2018-10662 which gives unrestricted dbus access for users of the .srv functionality and a shell command injection vulnerability (CVE-2018-10660).

Of the remaining four flaws, one is an information leakage vulnerability and three can be abused to crash processes.

The researchers added that they do not believe the vulnerabilities affecting 390 Axis products have been exploited in the wild yet. However, with the technical deep-dive writeup and proof-of-concept demonstrations being out there now, failing to immediately patch your Axis camera could lead to remote attackers taking control of them.

In the FAQ section, Peles advised checking your Axis IP camera’s firmware version by accessing it via a web browser, entering your username and password, clicking System>Options>Support>System Overview. He included additional advice for how to mitigate the risk if you can’t update the firmware.

At the time of VDOO disclosing the seven vulnerabilities, there was no malware abusing the flaws. Signs that malware or a botnet is on your device include your password no longer working, your device settings being modified, and a spike in network traffic.

If the device has been breached, then restore the camera to factory settings. “Keep in mind that if you’re using a firmware susceptible to the vulnerabilities detected by VDOO, the device might be targeted and can become infected again shortly. So, after resetting the device, make sure to immediately perform the firmware upgrade, prior to connecting the camera directly to the internet.”