Wrongly Accused Critical Vulnerability for Vivotek

By Brian Karas, Published on Jul 13, 2017

Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported are not as critical as the reports claim. 

Vivotek was recently faced with one but the vulnerability was meaningfully overstated. IPVM discussed this with the researcher who initially reported them and Vivotek, providing a more accurate assessment of the risks inside this report.

Vulnerability *******

***-****-**** ** ****** ** * severity ***** ** **.*, and ********* * ************* in * *** ****** that *** ** ********* to ***** ** *************** attacker (*********) ** ******* shell ******** ** ****. ***-****-**** ** ****** ** * 5.0, *** ********* * vulnerability ** * ******** cgi ****** **** *** be ********* ** ***** an *************** ******** ** read *** **** ** the ******, ********* ****** files **** ** *** password ********.

Original ********** ** ******* **********

******* **, * ******** ********** in ***** *** **** goes ** "********" *** "Chromium1337"********* ******* ** *** findings ** **** ****. ** ********* *********** and ********** * ******* firmware ***** *** ********, and ******** **** ***** examples *** ********** **** of ***** ***************.

NOT ********* ** *************** *****

***** *** ***'* ***** that *** *************** ** not ******* * ***** to *******, **** ******* and *** ********** ********* *** vulnerability *** *********** **** a ******* ********, ****** *** **** specifically *** *** ****** to ***** ****** ****** with ** ***** ********.

Admin-Level ****** ********

*** *************** ******** ******* in *** *** ********* used *** ************** *****, and ** * ******** deployment *** **** ********** to ***** **** ** admin-level *****. ***** ***** can ********* *** ******* for *************** ******, ******* ************ recommends ******* ***** ****.

************* *** ***'* ** reflect *** *********** ** have ******* ****** ** the ****** ***** *** overall ***** ** *, and ***** *** ************** score *** **** **** 10 ** *. ***** still *********** **** ** overall ******* ***********, *** vulnerabilities ****** **** **** likely ** ** ********* in ****-***** *********.

Default ** ********

*** *******, ********* *** contributing ** **** *****, is **** ******* ******** to ** ********, ******** any **** ** ****** the ****** ****** * password ** ***********. **** is * ******** **** in ******.

*******'* ******** ********* ***** ********* *** **** ******** as *** ***** **** after ********* ********, ************ users *** * ****** password, *** ******* ** the ***** ** ***** weak ** ** *********. Users *** ****** *******'* guide *** ******* **** passwords ***** ************* ****** the ******* ** ***** vulnerabilities ***** *********. *******, Vivotek ***** ******* *** security ** ******* ****** passwords ** *******.

 

Vivotek Working ** ******* ********

******* ****** **** **** made ***** ** **** vulnerability **** ***** *********, and **** **** ******* on ******** ******* ** resolve **. ********** ****** ** ************, ********** ** **** firmware ******* ********* ** July **, ****.

OEM/ODM ****** *** ********

******* **** ******** ***/*** products *** **** ********* in *** ********. ********* to *******, ** **** cases ***** ******** *** firmware ********* ** *** company ***'*** *** *******, and **** ***** ******** would *** **** *******'* scripts, *** ********** ***************.

Few ******** ********** *******

* ****** ***** ******** relatively *** ********-********** ******* cameras, *** **** ** those ******** ** ************** error, ********** **** *** specified ** ***** **** level ** **** ********.

Risk ********-***

*******, ***** *************** **** a ********** *** ****, particularly ******* ***** ****** level *** ** ************* reduced **** ** ******* a ****** ***** ********, something ********* ***** *** quickly **, ** **** have *** *******. *******, because **** ** ***** the ********* *** ********* to *** ****** ** critical ***** ** *** camera, ** ******** **** the ****** **** * botnet ******, ****** ** Vivotek ******* ****** ****** they *** *** ******* root ********* *****, ** using **** *********. 

UPDATE **** **

******* *** ******* ******* firmware *** *** ******** models. ******** *** ** found ** *******'* ******* ****, *** ******** **** have * "****.**" ****.

Comments (1)

Avatar

Brian Karas

IPVM | 07/25/17 08:39pm

UPDATE: Vivotek did release updated firmware for the affected models. Firmware can be found on Vivotek's support page, new firmware will have a "2017.07" date.

Read this IPVM report for free.

This article is part of IPVM's 6,599 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
Beware Rigged China Fever Cameras on Sep 08, 2020
Many China fever camera manufacturers have rigged algorithms dynamically...
Convergint Refuses To Fix Faked Fever Marketing, FTC Complaint Filed on Jun 19, 2020
Since Convergint has refused to fix their faked fever camera marketing, IPVM...
Injes Tiny Temperature Terminal Tested on Jul 17, 2020
While temperature terminals have trended bigger, the Injes DFace801 is...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
Don't Be Fooled By Hot Water Bottle Fever Camera Demos on Aug 24, 2020
Fever camera salesmen like to fool buyers (and themselves) with hot water...
Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...

Recent Reports

Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Recruiters Online Show LIVE Thursday! on Oct 27, 2020
IPVM's 7th online show resumes Thursday with 12 recruiters presenting...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...