Vulnerabilities ********
***** ****** [**** ** ****** *********], a ******** ********** ** ********* ******** ******* ** **** *************** ** ****** Security. *** *************** ******* ******* ** retrieve **** ******, *** *****, ******** files *** ***** **** **** **** FC-series ******* *******, ** **** ** hard ***** *********** *** ****** **** execution ********. *** *******, *******/******* *** string "/********/*********/******/*******.*** [**** ** ****** *********]" onto *** *** ** * **** FC ****** ******** ** ** ******* in * ******* **** ***** ******** cameras ** ****** * **** ***** (e.g.: http://192.168.99.10:8081/graphics/livevideo/stream/stream3.jpg).
** *****, ***** ******** ****** ********* to ******** **** *** ****** **** the *******, ** **** ** ******* various ******** **** ***** **** ** a ******** ******* ** *** ******, ultimately ******** ********* ** ****** *** execute ****** ****.
Vulnerability ********
** ******** *** *************** ** ********** **** ****** and ******* ***** **** ** /***/****** from ******** ********** ******* ***** *** Shodan. **** ******** ** ****** *********:
******** *** /***/****** **** ** ********** cameras ***** *** **** **** ******** used ****** *** ******** ** *******:
**** ********** **** *** ***** ** hard-coded *********** ** *** ************* *******, as ** ** ******** ********* **** so **** ******* ***** **** *** same ********* ******** ****** *** *** root ****.
No ******** *** *********
Updated ******** ********
****** - ****** ******** ******** **** not ********* ** *** **** ** our ******** ***********, **** **** ***** been ********.
**** ******** * ***** *** ***** vulnerabilities [**** ** ****** *********]. ******* instructions *** ******** ** *** ******* ***** for *** ***** [**** ** ****** available], ***** ******** ******** **** ****** individually *** *** *** *********. ******* this ** * *****, *** *** a **** ******** *******, ***** **** to ***** ** ** * ********* version (*.*.* ** *.*.*), *** **** need ** ****** ***** ******** ** one ** ***** ******** ****** ******** the ***** ** ******* ***** ******** on *** ******.
****'* ******** ******** ********* *** **** ****** ******** *** FC-Series ******* ** *-**-****, **** ****** this ************* *** ********:
FLIR Limited / **** ********
********* ****'* ******* *** ******* ** FLIR ** ********* ****, **** ****** a ************* ******** ** ******* *** [link ** ****** *********], **** ******* ***********. **** comes * ****** ***** *** ******* report ** **** ** ***** ***************, and **** *** ******* ***** ****** are ********, ** **** ********* *** expect ******* ********. *** ********* **** recommendation ** ** *** ***** ******** access ** **** *******:
** ****** ****, ** ********* **** customers ***** ******* **** ** ******, secured ********.
*** ****** ******** **** **** ********* a **** ** ************** **** ****, stating "** *** *** * *** or ********** **** **** ******** *** the ********* ***************."
**** ***** ***-***** *** *********** *** *** known ** **** **** ******* ** use ** ******** ************** *****, **** reported ***** ********* ** **** ** warn **** ** ***** *************** ****** the ******* *** *******.
Minimal ****** *******
*** ****** ** **** ***** ******** *** **** ******* **** **** *** results ** ********** *******:
**** ** *******, ***** **** **** thermal ******* *** **** *********, ***** not ** ******** **** ** "*******", and *** ********** ********* ** * VMS. *******, * **** ** *** ********* cameras ****** **** **% ** **** were ******** ** **** *************.
Impact *********
****** ******* **** ******* ********** ******, exploit ** ***** ******* ******* ********* for **** ****/******** ** *** ***** using ****. **** ******* ******* *** ********* deployed ** ******** ************** *****, ** sites **** **** ***** ******. ************, these ******* *** ***** ****** ** video ********* ******* *** ********* ********* warnings. * ************* **** ****** ** attacker ** **** *** ******'* ******** area, ** *********** ***** ******** ** disable *****/****** ********* ******* * **** more ****** **** **** ********* * camera *********** * ***** ********.
************, **** ********* **** *** ****** that ***** ********, *********, ** ***** data ***** ****** *********** ********* *********** about *** ******** ******* ************ ** ***** devices ** ***. ******* ***** **** potentially ** ********* ** ***** ***** access, ****** ********* ****** ** *** internal ******* *** ****** ******* **.
In ******** ** **** ***** *** ***************
***** *************** *** ******** *** ********** to ****************** **** **** *** **** ******* to **** ***** ****** ** *********** *** ********* ** ***** *** and ***** *****.
Vs ********* ********
***** **** *************** ** *** ***** users ** ********** ************** ** ***** to * ******* *** *********, ** ** reset ** ******** **** ********* ********. However, *** ****-***** *********** ** *** linux ** ***** ** **** ** access * ******* ********* ** *** was accessable ** *** ***** (*** *** is ******** ** *******).
**** ************* *** ************ ** *** ********* "***** ******" ******* ** **** ** **** *** ******* any ************** ** ******* ****** ** access *** ******** ********, *** ** is **** ******** ** **** ** cannot ** **** ** ***** ** takeover ** ***** ******* *** **** full ****** ** *** ******.
Poor ******** ***** ** ****
****'* **** ** * ****** ******** in ********* ********* *** ********** ***** vulnerabilities *** ******** ** **** ***** ******* ********** ******** ********.
********* *** ******** ***** *** ******* *******, ******* pressure ** ****, *** *** ********* avoided **** ** *** ****** ******** in **** *******. * ****** ******** **** legacy ************* *** **** ** ***** out *********'* ******** ******** ***************, *** failure ** ******* ***** ***********, ** we *******: ********* ***** **** *** ******** ****** Hit **** *** *****.
**** **** *************, **** *** ****** themselves **-*** **** ********* ** ***** ** ease ** ******* *** ******** ** proactive ************* ** *********, **** ****** eroding ***** *** ******* ***** ************* the ***** *** ***** **** *********** and ***-*****.
Comments (6)
Undisclosed Manufacturer #1
I'm curious if and how FLIR will react to this ☺️
Well done IPVM, thank you!
Create New Topic
Jon Dillabaugh
10/06/17 07:41pm
Doesn’t Dahua actually assemble the Flir TC series? Are we sure of who makes the FC series? I only have had my hands on the FC-618 for a short period and don’t recall at the moment if it was Dahua-esque.
Create New Topic
Undisclosed Manufacturer #1
It might be beneficial to search for FLIR OEM partners that just use FLIR's thermal modules and combine it with a custom (and more secure) encoder chipset (which includes all network functions).
I do not want to do any promotion here, but these partners exist.
Create New Topic
Brian Karas
There is now a software fix available from FLIR for these vulnerabilities, the report has been updated with the following section to address this:
UPDATE - Patch Released
FLIR released a patch for these vulnerabilities. Upgrade instructions are outlined in the release notes for the patch, which requires updating each camera individually via its web interface. Because this is a patch, and not a full firmware release, users need to first be on a supported version (1.3.4 or 1.3.5), and will need to update their firmware to one of these versions before applying the patch if running older software on the camera.
Create New Topic
Michael Gonzalez
10/11/17 02:33am
This is good information guys, thanks!
Create New Topic