TLP: WHITE

MS-ISAC CYBERSECURITY ADVISORY

 

MS-ISAC ADVISORY NUMBER:

2018-031

 

DATE(S) ISSUED:

03/21/2018

 

SUBJECT:

Multiple Vulnerabilities in Pelco Sarix Professional Could Allow for Code Execution

 

OVERVIEW:

Multiple vulnerabilities have been discovered in Pelco Sarix Professional IP cameras, the most severe of which could allow for code execution. Pelco Sarix Professional is a series of professional IP cameras used indoors and outdoors. Successful exploitation of these vulnerabilities could allow for an attacker to execute code, bypass security restrictions, gain access to sensitive information, and perform unauthorized actions.  

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

 

SYSTEM AFFECTED:

•          Pelco Sarix Professional cameras with firmware versions prior to 3.29.67

 

RISK:

Government:

·         Large and medium government entities: High

·         Small government entities: High

Businesses:

·         Large and medium business entities: High

·         Small business entities: Medium

Home users: Low

 

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Pelco Sarix Professional IP cameras, the most severe of which could allow for code execution. Details of the vulnerabilities are as follows:

•        An information disclosure vulnerability in which retrieving specially crafted URLs without authentication can reveal sensitive information to an

attacker. (CVE-2018-7227)

•          An authentication bypass vulnerability which could allow an unauthenticated, remote attacker to bypass authentication and get administrator privileges. (CVE-2018-7228)
•          An authentication bypass vulnerability which could allow an unauthenticated, remote attacker to bypass authentication and gain administrator privileges due to hard coded credentials.  (CVE-2018-7229)
•          An XML external entity vulnerability in the import.cgi of the web interface.  (CVE-2018-7230)
•          A command execution vulnerability caused by the lack of validation of the shell meta characters with the value of ‘system.opkg.remove.’  (CVE-2018-7231)
•          A command execution vulnerability caused by the lack of validation of the shell meta characters with the value of ‘network.ieee8021x.delete_certs.’  (CVE-2018-7232)
•          A command execution vulnerability caused by the lack of validation of the shell meta characters with the value of ‘model_name’ or ‘mac_address.’  (CVE-2018-7233)
•          An arbitrary file download caused by the lack of validation of the SSL certificate file.  (CVE-2018-7234)
•          A command execution vulnerability caused by the lack of validation of the shell meta characters with the value of ‘system.download.sd_file.’  (CVE-2018-7235)
•          An authentication bypass vulnerability that could enable SSH service caused by the lack of authentication for /login/bin/set_param.  (CVE-2018-7236)
•          An arbitrary file delete vulnerability that could allow a remote attacker to delete arbitrary system files caused by the lack of validation of the /login/bin/set_param to the file name with the value of ‘system.delete.sd_file.’  (CVE-2018-7237)
•          A buffer overflow vulnerability within the web-based GUI of Sarix Pro that could allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2018-7238)

 

Successful exploitation of these vulnerabilities could allow for an attacker to execute code, bypass security restrictions, gain access to sensitive information, and perform unauthorized actions.  

 

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate firmware updates provided by Pelco to vulnerable systems, immediately after appropriate testing.
• Where possible, place the cameras behind a firewall and limit external network access to affected products.
•         Verify no unauthorized system modifications have occurred before applying the patch.

• Apply the Principle of Least Privilege to all systems and services.