Wrongly Accused Critical Vulnerability for Vivotek

By: Brian Karas, Published on Jul 13, 2017

Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported are not as critical as the reports claim. 

Vivotek was recently faced with one but the vulnerability was meaningfully overstated. IPVM discussed this with the researcher who initially reported them and Vivotek, providing a more accurate assessment of the risks inside this report.

*************** *** ** ********** branding *** ******** ******* for ***** ************ *************. However, ********* *************** ******** are *** ** ******** as *** ******* *****. 

******* *** ******** ***** with *** *** *** vulnerability *** ************ **********. IPVM ********* **** **** *** researcher *** ********* ******** them *** *******, ********* * more ******** ********** ** the ***** ****** **** report.

[***************]

Vulnerability *******

***-****-**** ** ****** ** * severity ***** ** **.*, and ********* * ************* in * *** ****** that *** ** ********* to ***** ** *************** attacker (*********) ** ******* shell ******** ** ****. ***-****-**** ** ****** ** * 5.0, *** ********* * vulnerability ** * ******** cgi ****** **** *** be ********* ** ***** an *************** ******** ** read *** **** ** the ******, ********* ****** files **** ** *** password ********.

Original ********** ** ******* **********

******* **, * ******** ********** in ***** *** **** goes ** "********" *** "Chromium1337"********* ******* ** *** findings ** **** ****. ** ********* *********** and ********** * ******* firmware ***** *** ********, and ******** **** ***** examples *** ********** **** of ***** ***************.

NOT ********* ** *************** *****

***** *** ***'* ***** that *** *************** ** not ******* * ***** to *******, **** ******* and *** ********** ********* *** vulnerability *** *********** **** a ******* ********, ****** *** **** specifically *** *** ****** to ***** ****** ****** with ** ***** ********.

Admin-Level ****** ********

*** *************** ******** ******* in *** *** ********* used *** ************** *****, and ** * ******** deployment *** **** ********** to ***** **** ** admin-level *****. ***** ***** can ********* *** ******* for *************** ******, ******* ************ recommends ******* ***** ****.

************* *** ***'* ** reflect *** *********** ** have ******* ****** ** the ****** ***** *** overall ***** ** *, and ***** *** ************** score *** **** **** 10 ** *. ***** still *********** **** ** overall ******* ***********, *** vulnerabilities ****** **** **** likely ** ** ********* in ****-***** *********.

Default ** ********

*** *******, ********* *** contributing ** **** *****, is **** ******* ******** to ** ********, ******** any **** ** ****** the ****** ****** * password ** ***********. **** is * ******** **** in ******.

*******'* ******** ********* ***** ********* *** **** ******** as *** ***** **** after ********* ********, ************ users *** * ****** password, *** ******* ** the ***** ** ***** weak ** ** *********. Users *** ****** *******'* guide *** ******* **** passwords ***** ************* ****** the ******* ** ***** vulnerabilities ***** *********. *******, Vivotek ***** ******* *** security ** ******* ****** passwords ** *******.

 

Vivotek Working ** ******* ********

******* ****** **** **** made ***** ** **** vulnerability **** ***** *********, and **** **** ******* on ******** ******* ** resolve **. ********** ****** ** ************, ********** ** **** firmware ******* ********* ** July **, ****.

OEM/ODM ****** *** ********

******* **** ******** ***/*** products *** **** ********* in *** ********. ********* to *******, ** **** cases ***** ******** *** firmware ********* ** *** company ***'*** *** *******, and **** ***** ******** would *** **** *******'* scripts, *** ********** ***************.

Few ******** ********** *******

* ****** ***** ******** relatively *** ********-********** ******* cameras, *** **** ** those ******** ** ************** error, ********** **** *** specified ** ***** **** level ** **** ********.

Risk ********-***

*******, ***** *************** **** a ********** *** ****, particularly ******* ***** ****** level *** ** ************* reduced **** ** ******* a ****** ***** ********, something ********* ***** *** quickly **, ** **** have *** *******. *******, because **** ** ***** the ********* *** ********* to *** ****** ** critical ***** ** *** camera, ** ******** **** the ****** **** * botnet ******, ****** ** Vivotek ******* ****** ****** they *** *** ******* root ********* *****, ** using **** *********. 

UPDATE **** **

******* *** ******* ******* firmware *** *** ******** models. ******** *** ** found ** *******'* ******* ****, *** ******** **** have * "****.**" ****.

Comments (1)

Avatar

Brian Karas

IPVM | 07/25/17 08:39pm

UPDATE: Vivotek did release updated firmware for the affected models. Firmware can be found on Vivotek's support page, new firmware will have a "2017.07" date.

Read this IPVM report for free.

This article is part of IPVM's 6,432 reports, 865 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Manufacturers Doing Better Than Expected Against Coronavirus on May 05, 2020
Coronavirus impacts are not hitting manufacturers as badly as they feared,...
The Problem With Fever Detecting Thermal Sunglasses on Apr 15, 2020
While the media has promoted using thermal sunglasses to detect fevers, this...
Coronavirus Hits Manufacturers, Standing Now, Worse To Come on Apr 06, 2020
Coronavirus is hitting security manufacturers, though overall modestly for...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...
Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Integrators Rising Against Coronavirus on May 27, 2020
IPVM integrator statistics make it clear - Coronavirus's impact on business...
Convergint Refuses To Fix Faked Fever Marketing, FTC Complaint Filed on Jun 19, 2020
Since Convergint has refused to fix their faked fever camera marketing, IPVM...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Spectron IR Thermal Fever Screening System Examined on Apr 14, 2020
Most are quick to avoid "fever screening" and "medical" labels, but...

Recent Reports

SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 200 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...