Wrongly Accused Critical Vulnerability for Vivotek

By Brian Karas, Published Jul 13, 2017, 09:11am EDT

Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported are not as critical as the reports claim. 

Vivotek was recently faced with one but the vulnerability was meaningfully overstated. IPVM discussed this with the researcher who initially reported them and Vivotek, providing a more accurate assessment of the risks inside this report.

Vulnerability *******

***-****-**** ** ****** ** * severity ***** ** **.*, and ********* * ************* in * *** ****** that *** ** ********* to ***** ** *************** attacker (*********) ** ******* shell ******** ** ****. ***-****-**** ** ****** ** * 5.0, *** ********* * vulnerability ** * ******** cgi ****** **** *** be ********* ** ***** an *************** ******** ** read *** **** ** the ******, ********* ****** files **** ** *** password ********.

Original ********** ** ******* **********

******* **, * ******** ********** in ***** *** **** goes ** "********" *** "Chromium1337"********* ******* ** *** findings ** **** ****. ** ********* *********** and ********** * ******* firmware ***** *** ********, and ******** **** ***** examples *** ********** **** of ***** ***************.

NOT ********* ** *************** *****

***** *** ***'* ***** that *** *************** ** not ******* * ***** to *******, **** ******* and *** ********** ********* *** vulnerability *** *********** **** a ******* ********, ****** *** **** specifically *** *** ****** to ***** ****** ****** with ** ***** ********.

Admin-Level ****** ********

*** *************** ******** ******* in *** *** ********* used *** ************** *****, and ** * ******** deployment *** **** ********** to ***** **** ** admin-level *****. ***** ***** can ********* *** ******* for *************** ******, ******* ************ recommends ******* ***** ****.

************* *** ***'* ** reflect *** *********** ** have ******* ****** ** the ****** ***** *** overall ***** ** *, and ***** *** ************** score *** **** **** 10 ** *. ***** still *********** **** ** overall ******* ***********, *** vulnerabilities ****** **** **** likely ** ** ********* in ****-***** *********.

Default ** ********

*** *******, ********* *** contributing ** **** *****, is **** ******* ******** to ** ********, ******** any **** ** ****** the ****** ****** * password ** ***********. **** is * ******** **** in ******.

*******'* ******** ********* ***** ********* *** **** ******** as *** ***** **** after ********* ********, ************ users *** * ****** password, *** ******* ** the ***** ** ***** weak ** ** *********. Users *** ****** *******'* guide *** ******* **** passwords ***** ************* ****** the ******* ** ***** vulnerabilities ***** *********. *******, Vivotek ***** ******* *** security ** ******* ****** passwords ** *******.

 

Vivotek Working ** ******* ********

******* ****** **** **** made ***** ** **** vulnerability **** ***** *********, and **** **** ******* on ******** ******* ** resolve **. ********** ****** ** ************, ********** ** **** firmware ******* ********* ** July **, ****.

OEM/ODM ****** *** ********

******* **** ******** ***/*** products *** **** ********* in *** ********. ********* to *******, ** **** cases ***** ******** *** firmware ********* ** *** company ***'*** *** *******, and **** ***** ******** would *** **** *******'* scripts, *** ********** ***************.

Few ******** ********** *******

* ****** ***** ******** relatively *** ********-********** ******* cameras, *** **** ** those ******** ** ************** error, ********** **** *** specified ** ***** **** level ** **** ********.

Risk ********-***

*******, ***** *************** **** a ********** *** ****, particularly ******* ***** ****** level *** ** ************* reduced **** ** ******* a ****** ***** ********, something ********* ***** *** quickly **, ** **** have *** *******. *******, because **** ** ***** the ********* *** ********* to *** ****** ** critical ***** ** *** camera, ** ******** **** the ****** **** * botnet ******, ****** ** Vivotek ******* ****** ****** they *** *** ******* root ********* *****, ** using **** *********. 

UPDATE **** **

******* *** ******* ******* firmware *** *** ******** models. ******** *** ** found ** *******'* ******* ****, *** ******** **** have * "****.**" ****.

Comments (1)

Avatar

Brian Karas

IPVM | 07/25/17 08:39pm

UPDATE: Vivotek did release updated firmware for the affected models. Firmware can be found on Vivotek's support page, new firmware will have a "2017.07" date.

Read this IPVM report for free.

This article is part of IPVM's 6,817 reports, 914 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports