Vivotek Remote Stack Overflow Vulnerability

By: Brian Karas, Published on Nov 14, 2017

A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in cameras from Axis and Dahua, among other brands. The vulnerability is very easy to exploit, and opens up a variety of ways for attackers to impact affected cameras from Vivotek.

Details of the vulnerability have been made public, after Vivotek failed to provide agreed-upon responses to bashis during the initial disclosure process.

In this report we analyze the vulnerability, and Vivotek's handling of it that caused details to be released prior to patched firmware being fully available.

* ***** ******** ************* in ******* ******* *** been ********** ** ******, the ******** ********** *** has **** ***** *************** in ******* ****************, ***** ***** ******. The ************* ** **** easy ** *******, *** opens ** * ******* of **** *** ********* to ****** ******** ******* from *******.

******* ** *** ************* have **** **** ******, after ******* ****** ** provide ******-**** ********* ** bashis ****** *** ******* disclosure *******.

** **** ****** ** analyze *** *************, *** Vivotek's ******** ** ** that ****** ******* ** be ******** ***** ** patched ******** ***** ***** available.

[***************]

Vulnerability ********

**** ******* ** *** vulnerability **** *************** ** ****, *** ********' ****** *******. *** ************* ****** on ********** ******* **** to ****** ************* ** ******* ** their ****** *****. * specially-crafted **** ** *** URL ******** *** ************* when *** *** ******** data ** ****** ** what *** ******'* ********* expects. ********* *** **** able ** *********** ********* memory *********, ***** *** cause *** ****** ** crash, ** ** ******* arbitrary ****.

Very **** *******

** ******* ********, *********, or ******-******** *******/****** *** required ** ******* ** exploit ******* ** ******** camera. ****** ******* * long *** **** *** malicious *******, ** ***** in ******' *****-**-*******, *** trigger *** ********. **** makes ** ********* **** to ******** ******* **** this *************.

Affected ********

********* ** ******' ********, the ********* ****** *** have ******** **** **** vulnerability:

******, ******, ******, ******, FD8166A, *******, *******-*, *******, FD8167A, ********, ********, *******, FD8169A, *******, ********, ********, FD816B, ******, *******, *******, FD816C, ******, *******, *******, FD816D, ******, ******, ******, FD8182, ******-**, **********, *******, FD8367A, *******, *******, ******, FD836BA, ******, ******, ******, FD8382, ******, ******, ******, FD9381, *********, *********, ******, FE8374_v2, *********,******, ******, ******, FE9382, *******, *******, ******, IB836BA, ******, ******, ******, IB8382, ******, ******, ******, IP9171, ******, ******, ******, MD8564, ******, ******, ******, SD9362, ******, ******, ******, SD9366, ******

*** ************* *** ** present ** ***** ******* products ** ****, ******* is ** ******* ** verifying ***** ****** *** affected.

Firmware ******* ********

*******'* ******** ** *** initial ************* ********** ********** indicates **** ******** **** start ** ****** ********* on ******** ****:

***** *** ******** *** updated ** *** ********* affected ****** ******** ** November **** *** ******** 24th.

Risk ******

***** ** *********** ********* by ******, ** ** unlikely **** ************* *** be **** ** **** access ** * ***** shell, ** ** ****/*** external ****. ***** ** to ***** *** ****** to ****/****** ** *** most ****** ********, ***** could ** **** ** a **** ** ****** of ******* ****** ** the ******.

Vivotek ****** ********

*** ***** ** ****** outlined ** ****** ** his *********** ***** **** ***** Vivotek *** ********* **********, the ******* *** *** respond ** ** ***** from ******, ***** ******** him ** ******** *** vulnerability ********, ** ********* agreed ****.

** ** ***** ** IPVM, ******* ************ *** lack ** ************** ** their ****, ******* **** had ******** ** *** for ********** **** ** complete ******* ** *** firmware.

Disclosure ***** ************ ************

***** ****** ***** **** chosen ** **** ** disclose *** *******, ******* that ******* *** ********** to *** *************, ** was ***** ** ********** to ** **. ** these *********, ************* *** at * ************ ******** to ******** ***********, *** upon *********** *************** *** effectively ******* *** ***** of *** *** **** the ************* **** ** disclosed.

***** ************* *** ****** to *** **** ********** as * ******** ** training ********** *** ***** internal *****. ******* ********* *********, and ******, ** ****** lines ** ************** *** kept **** **** *********** in ***** ** ******** chances ** ************* *********** happening ****** **** *** fully ******** **** ******* firmware.

 

Comments (11)

VIVOTEK has just released the latest firmware for 41 camera models for this vulnerability issue.  We encourage our users to update the firmware ASAP.  (Check out the model list here: http://download.vivotek.com/downloadfile/support/cyber-security/vivotek-cyber-security-advisory-remote-stack-overflow-of-web-server.pdf). Be assured that we are committed to helping minimize and stop cyber security issues on our customers and VIVOTEK products

The chain of events outlined by bashis in his disclosures claim that while Vivotek was initially responsive, the company did not respond to an email from bashis, which prompted him to disclose the vulnerability publicly, as initially agreed upon.

I asked bashis this exact question, I got the sense that he discloses regardless of manufacturer status, though reading it now can’t say for sure what he meant.

Future FD from my side are communicated from day one to the vendor, date is set from start more or less, no surprise here.

If you would start reading my FD a bit more careful, you would see that fixed FW already started to be pushed out in October 2017.

Actually, I went from November 1 to November 13 regarding FD by my own will, in this particular case (communicated to the vendor, of course).

I always start to communicate with 30 days until FD after initial contact to vendor, but I am alway flexible for the FD date, and the two upcoming are set to 90 days, to allow the vendor have proper QA and release cycle. 

U1, I don't know who you are, and I really don't care, but please remember one thing - I could choose to not disclose anything, not even to the vendor.

 

 

If you would start reading my FD a bit more careful, you would see that fixed FW already started to be pushed out in October 2017.

I see that, however the article makes this point, which gives the impression that you were aware that Vivotek would have liked more time:

While bashis could have chosen to wait to disclose the details, knowing that Vivotek was responding to the vulnerability, he was under no obligation to do so.

Assuming that is accurate, I was wondering if you did so because your FD is immovable once set.

Which you have now made clear by this statement

Actually, I went from November 1 to November 13 regarding FD by my own will, in this particular case (communicated to the vendor, of course).

However, your FD makes no mention of the FD date actually being moved or for what reason, and no matter how carefully I read it, I would not know the circumstances around the changing of the date.

 

Dude, I'm not walking into public battle with you.

I don't give a shit about you and your thoughts, and in that i don't care if you would be Mr. Krebs or Mr. Trump, it's your damn problem, not mine.

From my own point of view;

I could be off radar for your eyes, with no FD and no vendor notifications, I could sold my discoveries and you would been happy, since you have never seen me and have no damn clue whats happening. But I choose not to do so, I prefer to have them public so even you can have your own opinion.

 

So tell me, what do you personally prefer - open eyes or closed eyes?

 

Dude, I'm not walking into public battle with you.

Seriously bashis?

I wasn’t attacking you or your motives in any way.  I was just asking a simple question, in essence, “is your FD date absolute or is it open to negotiation?”

I have too much respect for your work to respond to the rest of your provocations.

/have a nice day.

 

Fair enough.

I'm always open to timely negotiations.

Last vendor I contacted (EDIT: Not Vivotek!), I actually asked specifically if they would would like to have more time (after my I initial 30 days), after all it was 15+ vulnerabilities and some very simple - but critical, and they said "should be end of January", to which i respond "OK, i agree on timeline, lets try with 1st February".

1st February isn't fixed, but that is the setup timeline as of today.

However, if there is silent communication from the vendor before 1st February, even if I tried to re-establish, there will for sure be FD on the agreed date. (I will not try months to re-establish contact).

Have a nice day

/bashis

 

I believe it is important that the vulnerabilities are disclosed, and more importantly, that Vivotek is aware and has already released a new firmware day 17.
Serious manufacturer of Vivotek, I do not know why it does not give so much space in the materials, emphasizing more Chinese equipment.
We have to value the good manufacturers, and Vivotek is one of them.
Talk about Axis, Vivotek, Avigilon, Bosch (in OEM..hehe), Panasonic (on OEM ... hehe) .. ISS, Genetec, Miletone..etctecetc. Congratulations to the comments and the IPVM.

Family Feud - Contractor Edition

“Name another manufacturer quality manufacturer besides Axis, Avigilon, Bosch, Panasonic, ISS, Genetec, Milestone”

“Vivotek?”

“Survey Says” 

“Number one answer is Sony”

Well remembered ... yes, I forgot about Sony ... but I do not think Sony is the number, I think it's among the best.
Now to say that Vivotek is not among the best, I think you should first disclose your name, and then know the products.

VIVOTEK has released the firmware for the rest of 45 camera models for this vulnerability issue. We encourage our users to update the firmware ASAP. (Check out the model list here: http://download.vivotek.com/downloadfile/support/cyber-security/vivotek-cyber-security-advisory-remote-stack-overflow-of-web-server.pdf).

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
HTTPS / SSL Video Surveillance Usage Statistics on Apr 01, 2019
HTTPS / SSL / TLS usage has become commonplace for websites to improve security and, in particular, to help mitigate attackers reading or modifying...

Most Recent Industry Reports

GeoVision Presents AI and Facial Recognition on May 22, 2020
GeoVision presented its AI analytics and facial recognition at the April 2020 IPVM New Products show. Inside this report: A 30-minute video...
Density Presents Occupancy Monitoring For Coronavirus Protection on May 22, 2020
Density presented its cloud-based occupancy sensor to deal with Coronavirus at the May 2020 IPVM Startups show. Inside this report: A...
Openpath Presents Two Door PoE Controller on May 21, 2020
Openpath presented its new PoE controller at the May 2020 IPVM Startups show. Inside this report: A 30-minute video from Openpath including...
Bosch Presents MIC 7100 Extreme PTZs on May 21, 2020
Bosch presented its MIC 7100 Extreme PTZs at the April 2020 IPVM New Products show. Inside this report: A 30-minute video from Bosch...
Hikvision Chairman Targeted For Sanctions As Federal Watchdog Calls Out Hikvision "Serious Religious Freedom Violations" on May 21, 2020
The US government's religious freedom watchdog has criticized Hikvision for being "credibly implicated in serious religious freedom violations"....
Hikvision Temperature Screening Tested on May 20, 2020
Hikvision has ramped up the promotion of its 'temperature screening' system, including their salespeople arguing for no blackbody needed. But how...
Axxon Presents VMS 4.4 and AI Behavior Analytics on May 20, 2020
AxxonSoft presented its VMS 4.4 and AI behavior analytics at the April 2020 IPVM New Products show. Inside this report: A 30-minute video...
Indoor Robotics Presents Tando Aerial Drones on May 20, 2020
Indoor Robotics presented Tando indoor autonomous drones at the May 2020 IPVM Startups show. Inside this report: A 30-minute video from...
Directory of 89 Video Surveillance Startups on May 20, 2020
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly...
FLIR Cancelling Contract With X.Labs / Feevr on May 20, 2020
While X.Labs announced the signing of a new agreement with FLIR on May 12, 2020, FLIR said, in response, on May 18, 2020, that they had cancelled a...