Vivotek Remote Stack Overflow Vulnerability

By: Brian Karas, Published on Nov 14, 2017

A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in cameras from Axis and Dahua, among other brands. The vulnerability is very easy to exploit, and opens up a variety of ways for attackers to impact affected cameras from Vivotek.

Details of the vulnerability have been made public, after Vivotek failed to provide agreed-upon responses to bashis during the initial disclosure process.

In this report we analyze the vulnerability, and Vivotek's handling of it that caused details to be released prior to patched firmware being fully available.

Vulnerability ********

**** ******* ** *** vulnerability **** *************** ** ****, *** ********' ****** *******. *** ************* ****** on ********** ******* **** to ****** ************* ** ******* ** their ****** *****. * specially-crafted **** ** *** URL ******** *** ************* when *** *** ******** data ** ****** ** what *** ******'* ********* expects. ********* *** **** able ** *********** ********* memory *********, ***** *** cause *** ****** ** crash, ** ** ******* arbitrary ****.

Very **** *******

** ******* ********, *********, or ******-******** *******/****** *** required ** ******* ** exploit ******* ** ******** camera. ****** ******* * long *** **** *** malicious *******, ** ***** in ******' *****-**-*******, *** trigger *** ********. **** makes ** ********* **** to ******** ******* **** this *************.

Affected ********

********* ** ******' ********, the ********* ****** *** have ******** **** **** vulnerability:

******, ******, ******, ******, FD8166A, *******, *******-*, *******, FD8167A, ********, ********, *******, FD8169A, *******, ********, ********, FD816B, ******, *******, *******, FD816C, ******, *******, *******, FD816D, ******, ******, ******, FD8182, ******-**, **********, *******, FD8367A, *******, *******, ******, FD836BA, ******, ******, ******, FD8382, ******, ******, ******, FD9381, *********, *********, ******, FE8374_v2, *********,******, ******, ******, FE9382, *******, *******, ******, IB836BA, ******, ******, ******, IB8382, ******, ******, ******, IP9171, ******, ******, ******, MD8564, ******, ******, ******, SD9362, ******, ******, ******, SD9366, ******

*** ************* *** ** present ** ***** ******* products ** ****, ******* is ** ******* ** verifying ***** ****** *** affected.

Firmware ******* ********

*******'* ******** ** *** initial ************* ********** ********** indicates **** ******** **** start ** ****** ********* on ******** ****:

***** *** ******** *** updated ** *** ********* affected ****** ******** ** November **** *** ******** 24th.

Risk ******

***** ** *********** ********* by ******, ** ** unlikely **** ************* *** be **** ** **** access ** * ***** shell, ** ** ****/*** external ****. ***** ** to ***** *** ****** to ****/****** ** *** most ****** ********, ***** could ** **** ** a **** ** ****** of ******* ****** ** the ******.

Vivotek ****** ********

*** ***** ** ****** outlined ** ****** ** his *********** ***** **** ***** Vivotek *** ********* **********, the ******* *** *** respond ** ** ***** from ******, ***** ******** him ** ******** *** vulnerability ********, ** ********* agreed ****.

** ** ***** ** IPVM, ******* ************ *** lack ** ************** ** their ****, ******* **** had ******** ** *** for ********** **** ** complete ******* ** *** firmware.

Disclosure ***** ************ ************

***** ****** ***** **** chosen ** **** ** disclose *** *******, ******* that ******* *** ********** to *** *************, ** was ***** ** ********** to ** **. ** these *********, ************* *** at * ************ ******** to ******** ***********, *** upon *********** *************** *** effectively ******* *** ***** of *** *** **** the ************* **** ** disclosed.

***** ************* *** ****** to *** **** ********** as * ******** ** training ********** *** ***** internal *****. ******* ********* *********, and ******, ** ****** lines ** ************** *** kept **** **** *********** in ***** ** ******** chances ** ************* *********** happening ****** **** *** fully ******** **** ******* firmware.

 

Comments (11)

VIVOTEK has just released the latest firmware for 41 camera models for this vulnerability issue.  We encourage our users to update the firmware ASAP.  (Check out the model list here: http://download.vivotek.com/downloadfile/support/cyber-security/vivotek-cyber-security-advisory-remote-stack-overflow-of-web-server.pdf). Be assured that we are committed to helping minimize and stop cyber security issues on our customers and VIVOTEK products

The chain of events outlined by bashis in his disclosures claim that while Vivotek was initially responsive, the company did not respond to an email from bashis, which prompted him to disclose the vulnerability publicly, as initially agreed upon.

I asked bashis this exact question, I got the sense that he discloses regardless of manufacturer status, though reading it now can’t say for sure what he meant.

Future FD from my side are communicated from day one to the vendor, date is set from start more or less, no surprise here.

If you would start reading my FD a bit more careful, you would see that fixed FW already started to be pushed out in October 2017.

Actually, I went from November 1 to November 13 regarding FD by my own will, in this particular case (communicated to the vendor, of course).

I always start to communicate with 30 days until FD after initial contact to vendor, but I am alway flexible for the FD date, and the two upcoming are set to 90 days, to allow the vendor have proper QA and release cycle. 

U1, I don't know who you are, and I really don't care, but please remember one thing - I could choose to not disclose anything, not even to the vendor.

 

 

If you would start reading my FD a bit more careful, you would see that fixed FW already started to be pushed out in October 2017.

I see that, however the article makes this point, which gives the impression that you were aware that Vivotek would have liked more time:

While bashis could have chosen to wait to disclose the details, knowing that Vivotek was responding to the vulnerability, he was under no obligation to do so.

Assuming that is accurate, I was wondering if you did so because your FD is immovable once set.

Which you have now made clear by this statement

Actually, I went from November 1 to November 13 regarding FD by my own will, in this particular case (communicated to the vendor, of course).

However, your FD makes no mention of the FD date actually being moved or for what reason, and no matter how carefully I read it, I would not know the circumstances around the changing of the date.

 

Dude, I'm not walking into public battle with you.

I don't give a shit about you and your thoughts, and in that i don't care if you would be Mr. Krebs or Mr. Trump, it's your damn problem, not mine.

From my own point of view;

I could be off radar for your eyes, with no FD and no vendor notifications, I could sold my discoveries and you would been happy, since you have never seen me and have no damn clue whats happening. But I choose not to do so, I prefer to have them public so even you can have your own opinion.

 

So tell me, what do you personally prefer - open eyes or closed eyes?

 

Dude, I'm not walking into public battle with you.

Seriously bashis?

I wasn’t attacking you or your motives in any way.  I was just asking a simple question, in essence, “is your FD date absolute or is it open to negotiation?”

I have too much respect for your work to respond to the rest of your provocations.

/have a nice day.

 

Fair enough.

I'm always open to timely negotiations.

Last vendor I contacted (EDIT: Not Vivotek!), I actually asked specifically if they would would like to have more time (after my I initial 30 days), after all it was 15+ vulnerabilities and some very simple - but critical, and they said "should be end of January", to which i respond "OK, i agree on timeline, lets try with 1st February".

1st February isn't fixed, but that is the setup timeline as of today.

However, if there is silent communication from the vendor before 1st February, even if I tried to re-establish, there will for sure be FD on the agreed date. (I will not try months to re-establish contact).

Have a nice day

/bashis

 

I believe it is important that the vulnerabilities are disclosed, and more importantly, that Vivotek is aware and has already released a new firmware day 17.
Serious manufacturer of Vivotek, I do not know why it does not give so much space in the materials, emphasizing more Chinese equipment.
We have to value the good manufacturers, and Vivotek is one of them.
Talk about Axis, Vivotek, Avigilon, Bosch (in OEM..hehe), Panasonic (on OEM ... hehe) .. ISS, Genetec, Miletone..etctecetc. Congratulations to the comments and the IPVM.

Family Feud - Contractor Edition

“Name another manufacturer quality manufacturer besides Axis, Avigilon, Bosch, Panasonic, ISS, Genetec, Milestone”

“Vivotek?”

“Survey Says” 

“Number one answer is Sony”

Well remembered ... yes, I forgot about Sony ... but I do not think Sony is the number, I think it's among the best.
Now to say that Vivotek is not among the best, I think you should first disclose your name, and then know the products.

VIVOTEK has released the firmware for the rest of 45 camera models for this vulnerability issue. We encourage our users to update the firmware ASAP. (Check out the model list here: http://download.vivotek.com/downloadfile/support/cyber-security/vivotek-cyber-security-advisory-remote-stack-overflow-of-web-server.pdf).

Login to read this IPVM report.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
"Fever Camera" Online Show June 2020 - On-Demand Recordings on Jun 03, 2020
IPVM has successfully completed the world's first "Fever Camera" show....
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
Door Fundamentals For Access Control Guide on Aug 24, 2020
Doors vary greatly in how difficult and costly it is to add electronic access...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
FDA Defines Correct Operation of "Fever Cameras" on May 26, 2020
The US FDA has now defined the correct operation of "Thermal Imaging...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...

Recent Reports

Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
Huawei HiSilicon Production Shut Down on Sep 17, 2020
Huawei HiSilicon chips are no longer being manufactured or supplied to...
Virtual ISC West and GSX+ Exhibiting Contrasted on Sep 17, 2020
Both ISC West and ASIS GSX are going virtual this year, just weeks apart, but...
X.Labs Sues FLIR on Sep 16, 2020
X.Labs, the maker of Feevr, has sued FLIR, the publicly traded thermal...
Video Surveillance 101 September Course - Last Chance on Sep 16, 2020
Today is the last chance to sign up for the Fall Video Surveillance 101...
No Blackbody Mistake, Half Million Dollar, Hikvision Fever Camera System in Georgia on Sep 16, 2020
A Georgia school district touted buying Hikvision fever screening "about...
Costar Technologies / Arecont H1 2020 Financials Examined on Sep 16, 2020
Costar's financial results have been hit by the coronavirus with the company...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
New Products Show Fall 2020 Announced - Register Now on Sep 14, 2020
IPVM's sixth online show will feature New Products from over 25...
Hanwha 8K / 33MP Camera Tested on Sep 14, 2020
Hanwha Techwin has released an 8K / 33MP resolution camera, the TNB-9000 with...