Axis VDOO 2018 Vulnerability

Cybersecurity startup VDOO has uncovered significant vulnerabilities in Axis cameras, which we covered here.

IPVM has added this vulnerability to the IPVM Vulnerability Scanner, and updated Axis firmware can be found here.

Axis Vulnerability Details

VDOO disclosed seven vulnerabilities to the Axis' security team, currently listed without specific disclosed details:

CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663, CVE-2018-10664

These are of a high risk since they can result in root administrative access to the camera. The process required to perform an attack is complex, requiring multiple steps and advanced knowledge, unlike simpler severe vulnerabilities such as Dahua's hardcoded credentials or the Hikvision backdoor which are usable with only simple strings.

However, with this information now public, it is only a matter of time and motivation for bad actors with more advanced skills to create scripts which automate these attacks, making these vulnerabilities high priority for users to patch.

Impact of Vulnerability

The vulnerabilities require a specific combination of steps to gain and take advantage of access to view or adjust the camera stream, alter the camera's software (motion detection, lens adjustments, video overlay) or use the camera as a backdoor to other systems on within the network.

They bypass authorization checks, which allows them to gain unrestricted access to the cameras software bus.

They prove these capabilities by toggling an Axis logo video overlay on a vulnerable camera:

After running these commands, the overlay (by default - a small Axis logo) appears in the top left corner of the video stream:

Axis Response

This disclosure resulted in Axis releasing a list of affected products and patched firmware to remove the vulnerabilities in April, which included 390 different Axis Camera models.