If an attacker were to chain three of the flaws in the Axis IP cameras, they could remotely execute shell commands with root privileges. Update your firmware now. Credit: Thinkstock If you use Axis security cameras, you really need to update the firmware because seven vulnerabilities found in 390 camera models could allow an attacker to remotely take over the camera.VDOO security researchers have been looking into the security of IoT products dealing with safety and security and finding zero-day vulnerabilities. Earlier this month, VDOO disclosed a critical chain of vulnerabilities in Foscam security cameras. This time around, the researchers disclosed seven vulnerabilities in Axis Communications’ security cameras.VDOO senior security researcher Or Peles explained that chaining three of the flaws together could allow “an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.”VDOO warned that an attacker who gained such control of an Axis camera could do the following: Access the camera’s video streamFreeze the camera’s video streamControl the camera – move the lens to a desired point, turn motion detection on/offAdd the camera to a botnetAlter the camera’s softwareUse the camera as an infiltration point for network (performing lateral movement)Render the camera uselessUse the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)What are the Axis IP camera vulnerabilities?There are 390 vulnerable models of Axis IP cameras listed as affected products (pdf).The seven vulnerabilities are CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663 and CVE-2018-10664. By chaining three – CVE-2018-10661, CVE-2018-10662, and CVE-2018-10660 – an attacker with network access to the camera could remotely execute shell commands with root privileges. The three flaws chained together are an authorization bypass vulnerability (CVE-2018-10661), CVE-2018-10662 which gives unrestricted dbus access for users of the .srv functionality and a shell command injection vulnerability (CVE-2018-10660).Of the remaining four flaws, one is an information leakage vulnerability and three can be abused to crash processes.The researchers added that they do not believe the vulnerabilities affecting 390 Axis products have been exploited in the wild yet. However, with the technical deep-dive writeup and proof-of-concept demonstrations being out there now, failing to immediately patch your Axis camera could lead to remote attackers taking control of them.In the FAQ section, Peles advised checking your Axis IP camera’s firmware version by accessing it via a web browser, entering your username and password, clicking System>Options>Support>System Overview. He included additional advice for how to mitigate the risk if you can’t update the firmware.At the time of VDOO disclosing the seven vulnerabilities, there was no malware abusing the flaws. Signs that malware or a botnet is on your device include your password no longer working, your device settings being modified, and a spike in network traffic.If the device has been breached, then restore the camera to factory settings. “Keep in mind that if you’re using a firmware susceptible to the vulnerabilities detected by VDOO, the device might be targeted and can become infected again shortly. So, after resetting the device, make sure to immediately perform the firmware upgrade, prior to connecting the camera directly to the internet.” Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe