Wrongly Accused Critical Vulnerability for Vivotek

By Brian Karas, Published Jul 13, 2017, 09:11am EDT (Info+)

Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported are not as critical as the reports claim. 

Vivotek was recently faced with one but the vulnerability was meaningfully overstated. IPVM discussed this with the researcher who initially reported them and Vivotek, providing a more accurate assessment of the risks inside this report.

Vulnerability *******

***-****-**** ** ****** ** * ******** ***** of **.*, *** ********* * ************* in * *** ****** **** *** be ********* ** ***** ** *************** attacker (*********) ** ******* ***** ******** as ****. ***-****-**** ** ****** ** * *.*, *** describes * ************* ** * ******** cgi ****** **** *** ** ********* to ***** ** *************** ******** ** read *** **** ** *** ******, including ****** ***** **** ** *** password ********.

Original ********** ** ******* **********

******* **, * ******** ********** ** ***** who **** **** ** "********" *** "Chromium1337"********* ******* ** *** ******** ** June ****. ** ********* *********** *** ********** a ******* ******** ***** *** ********, and ******** **** ***** ******** *** exploiting **** ** ***** ***************.

NOT ********* ** *************** *****

***** *** ***'* ***** **** *** vulnerabilities ** *** ******* * ***** to *******, **** ******* *** *** researcher reporting *** ************* *** *********** **** a ******* ********, ****** *** **** ************ *** the ****** ** ***** ****** ****** with ** ***** ********.

Admin-Level ****** ********

*** *************** ******** ******* ** *** web ********* **** *** ************** *****, and ** * ******** ********** *** only ********** ** ***** **** ** admin-level *****. ***** ***** *** ********* the ******* *** *************** ******, ******* ************ recommends ******* ***** ****.

************* *** ***'* ** ******* *** requirement ** **** ******* ****** ** the ****** ***** *** ******* ***** by *, *** ***** *** ************** score *** **** **** ** ** 8. ***** ***** *********** **** ** overall ******* ***********, *** *************** ****** much **** ****** ** ** ********* in ****-***** *********.

Default ** ********

*** *******, ********* *** ************ ** this *****, ** **** ******* ******** to ** ********, ******** *** **** to ****** *** ****** ****** * password ** ***********. **** ** * security **** ** ******.

*******'* ******** ********* ***** ********* *** **** ******** ** *** first **** ***** ********* ********, ************ users *** * ****** ********, *** warning ** *** ***** ** ***** weak ** ** *********. ***** *** follow *******'* ***** *** ******* **** passwords ***** ************* ****** *** ******* of ***** *************** ***** *********. *******, Vivotek ***** ******* *** ******** ** forcing ****** ********* ** *******.

 

Vivotek Working ** ******* ********

******* ****** **** **** **** ***** of **** ************* **** ***** *********, and **** **** ******* ** ******** updates ** ******* **. ********** ****** ** ************, ********** ** **** ******** ******* available ** **** **, ****.

OEM/ODM ****** *** ********

******* **** ******** ***/*** ******** *** some ********* ** *** ********. ********* to *******, ** **** ***** ***** products *** ******** ********* ** *** company ***'*** *** *******, *** **** those ******** ***** *** **** *******'* scripts, *** ********** ***************.

Few ******** ********** *******

* ****** ***** ******** ********** *** publicly-accessible ******* *******, *** **** ** those ******** ** ************** *****, ********** they *** ********* ** ***** **** level ** **** ********.

Risk ********-***

*******, ***** *************** **** * ********** low ****, ************ ******* ***** ****** level *** ** ************* ******* **** by ******* * ****** ***** ********, something ********* ***** *** ******* **, if **** **** *** *******. *******, because **** ** ***** *** ********* for ********* ** *** ****** ** critical ***** ** *** ******, ** possibly **** *** ****** **** * botnet ******, ****** ** ******* ******* should ****** **** *** *** ******* root ********* *****, ** ***** **** passwords. 

UPDATE **** **

******* *** ******* ******* ******** *** the ******** ******. ******** *** ** found ** *******'* ******* ****, *** ******** **** **** * "2017.07" ****.

Comments (1)

UPDATE: Vivotek did release updated firmware for the affected models. Firmware can be found on Vivotek's support page, new firmware will have a "2017.07" date.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports