Bashis Joins IPVM To Lead Cybersecurity Research

Bashis has joined IPVM to lead our cybersecurity research, expanding the depth and breadth of IPVM's reporting.

His discoveries include 13 that have been assigned Common Vulnerabilities and Exposures (CVE) IDs (5 Critical, 2 High, 4 Medium, 2 Low) plus a dozen more vulnerabilities, affecting companies including Axis, Cisco, Dahua, Geovision, TVT, Uniview, Vivotek, and more.

IPVM plans to publish cybersecurity research that helps educate the public on general risks in physical security technology as well as specific risks and vulnerabilities in individual products that are widely used. This will include tutorials and other educational reports, software "teardowns" of individual products, and discovering new vulnerabilities.

For the new vulnerabilities that Bashis and IPVM find, we will follow responsible disclosure, contacting manufacturers 90 days prior to full disclosure of the vulnerability.

IPVM Founder John Honovich stated:

Research is core to what IPVM does and no one has found as many vulnerabilities in physical security as Bashis. We are excited that Bashis has joined IPVM and are focused on improving this industry's cybersecurity, educating professionals and exposing risks that endanger the security of the public.

With more than 20 years of experience, Bashis' work has exposed prominent cybersecurity vulnerabilities, with notable discoveries including Axis Communications Remote Format String in 2016, and the Dahua Technology Backdoor in 2017.

See Bashis' CVE assignments: 5 Critical, 2 High, 4 Medium and 2 Low Severity.

• CVE-2021-33045 : The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets., CVSS: 10.0
• CVE-2021-33044 : The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets., CVSS: 10.0
• CVE-2020-9501 : Attackers can obtain Cloud Key information from the Dahua Web P2P control in specific ways. Cloud Key is used to authenticate the connection between the client tool and the platform. An attacker may use the leaked Cloud Key to impersonate the client to connect to the platform, resulting in additional consumption of platform server resources., CVSS: 2.1
• CVE-2019-1914 : A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient validation of user-supplied input., CVSS: 9.0
• CVE-2019-1913 : Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system., CVSS: 10.0
• CVE-2019-1912 : A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface., CVSS: 6.4
• CVE-2017-7927 : A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC, CVSS: 7.5
• CVE-2017-7925 : A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, , CVSS: 5.0
• CVE-2004-2427 : Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to obtain sensitive information via direct requests, CVSS: 10.0
• CVE-2004-2426 : Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to bypass authentication, CVSS: 5.0
• CVE-2004-2425 : Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to execute arbitrary commands, CVSS: 7.5
• CVE-2001-0566 : Cisco Catalyst 2900XL switch allows a remote attacker to create a denial of service via an empty UDP packet sent to port 161 (SNMP) when SNMP is disabled., CVSS: 5.0
• CVE-2001-0741 : Cisco Hot Standby Routing Protocol (HSRP) allows local attackers to cause a denial of service by spoofing HSRP packets., CVSS: 2.1

Vulnerabilities Discovered Without CVEs Assigned

Additionally, Bashis has discovered the following vulnerabilities that were not assigned CVEs:

== 2019 ==

• [LifeSafety Power] Multiple Remote Command Execution (RCE), Multiple Stack Overflow, Improper Access Control: PoC/LifeSafetyPower-Netlink-PoC.py at master · mcw0/PoC · GitHub

== 2018 ==

• [Avtech] Remote Command Execution (RCE), Heap Overflow, Unauthenticated write only API, Hardcoded root credentials: PoC/Avtech_Undocumented_API_and_RCE.txt at master · mcw0/PoC · GitHub, PoC/AVTECH-IPCP-RCE.py at master · mcw0/PoC · GitHub
• [Geovision] Multiple Remote Command Execution (RCE), Multiple Stack Overflow, Double free, Improper Access Control: PoC/Geovision IP Camera Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access.txt at master · mcw0/PoC · GitHub
• [Herospeed] Stack Overflow: PoC/Herospeed-TelnetSwitch.py at master · mcw0/PoC · GitHub
• [Reolink] Authenticated Remote Command Execution (RCE): PoC/Reolink-IPC-RCE.py at master · mcw0/PoC · GitHub
• [Shenzhen TVT] Stack overflow, Use of Hard-coded Credentials, Remote Command Execution (RCE): PoC/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt at master · mcw0/PoC · GitHub

== 2017 ==

• [Axis] SSI Remote Command Execution (RCE), SSI Local File Inclusion (LFI): PoC/Axis SSI RCE at master · mcw0/PoC · GitHub
• [Axis] Heap Overflow: PoC/Axis_Communications_MPQT_PACS_Heap_Overflow_and_information_leakage.txt at master · mcw0/PoC · GitHub, Axis Note: Advisory_ACV-120444.pdf
• [QNAP] Multiple Heap Overflow, Stack Overflow, Heap Feng Shui: PoC/QNAP NVR NAS Heap - Stack - Heap Feng Shui overflow and "Heack Combo" to pwn.txt at master · mcw0/PoC · GitHub
• [Uniview] Remote Command Execution (RCE), Improper Authorization: PoC/Uniview RCE PoC.txt at master · mcw0/PoC · GitHub
• [Vitek] Stack Overflow, Improper Authorization: PoC/Vitek_RCE_and_information_disclosure.txt at master · mcw0/PoC · GitHub
• [Vivotek] Stack Overflow: PoC/Vivotek IP Cameras - Remote Stack Overflow.txt at master · mcw0/PoC · GitHub

Feedback / Questions

Feedback or questions may be left in the comments, or one can email mcw at ipvm dot com or info at ipvm dot com.