UPDATE: Vivotek did release updated firmware for the affected models. Firmware can be found on Vivotek's support page, new firmware will have a "2017.07" date.
Wrongly Accused Critical Vulnerability for Vivotek
Published Jul 13, 2017 13:11 PM
Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported are not as critical as the reports claim.
Vivotek was recently faced with one but the vulnerability was meaningfully overstated. IPVM discussed this with the researcher who initially reported them and Vivotek, providing a more accurate assessment of the risks inside this report.
Vulnerability *******
***-****-**** ** ****** ** * ******** ***** of **.*, *** ********* * ************* in * *** ****** **** *** be ********* ** ***** ** *************** attacker (*********) ** ******* ***** ******** as ****. ***-****-**** ** ****** ** * *.*, *** describes * ************* ** * ******** cgi ****** **** *** ** ********* to ***** ** *************** ******** ** read *** **** ** *** ******, including ****** ***** **** ** *** password ********.
Original ********** ** ******* **********
******* **, * ******** ********** ** ***** who **** **** ** "********" *** "Chromium1337"********* ******* ** *** ******** ** June ****. ** ********* *********** *** ********** a ******* ******** ***** *** ********, and ******** **** ***** ******** *** exploiting **** ** ***** ***************.
NOT ********* ** *************** *****
***** *** ***'* ***** **** *** vulnerabilities ** *** ******* * ***** to *******, **** ******* *** *** researcher reporting *** ************* *** *********** **** a ******* ********, ****** *** **** ************ *** the ****** ** ***** ****** ****** with ** ***** ********.
Admin-Level ****** ********
*** *************** ******** ******* ** *** web ********* **** *** ************** *****, and ** * ******** ********** *** only ********** ** ***** **** ** admin-level *****. ***** ***** *** ********* the ******* *** *************** ******, ******* ************ recommends ******* ***** ****.
************* *** ***'* ** ******* *** requirement ** **** ******* ****** ** the ****** ***** *** ******* ***** by *, *** ***** *** ************** score *** **** **** ** ** 8. ***** ***** *********** **** ** overall ******* ***********, *** *************** ****** much **** ****** ** ** ********* in ****-***** *********.
Default ** ********
*** *******, ********* *** ************ ** this *****, ** **** ******* ******** to ** ********, ******** *** **** to ****** *** ****** ****** * password ** ***********. **** ** * security **** ** ******.
*******'* ******** ********* ***** ********* *** **** ******** ** *** first **** ***** ********* ********, ************ users *** * ****** ********, *** warning ** *** ***** ** ***** weak ** ** *********. ***** *** follow *******'* ***** *** ******* **** passwords ***** ************* ****** *** ******* of ***** *************** ***** *********. *******, Vivotek ***** ******* *** ******** ** forcing ****** ********* ** *******.
Vivotek Working ** ******* ********
******* ****** **** **** **** ***** of **** ************* **** ***** *********, and **** **** ******* ** ******** updates ** ******* **. ********** ****** ** ************, ********** ** **** ******** ******* available ** **** **, ****.
OEM/ODM ****** *** ********
******* **** ******** ***/*** ******** *** some ********* ** *** ********. ********* to *******, ** **** ***** ***** products *** ******** ********* ** *** company ***'*** *** *******, *** **** those ******** ***** *** **** *******'* scripts, *** ********** ***************.
Few ******** ********** *******
* ****** ***** ******** ********** *** publicly-accessible ******* *******, *** **** ** those ******** ** ************** *****, ********** they *** ********* ** ***** **** level ** **** ********.
Risk ********-***
*******, ***** *************** **** * ********** low ****, ************ ******* ***** ****** level *** ** ************* ******* **** by ******* * ****** ***** ********, something ********* ***** *** ******* **, if **** **** *** *******. *******, because **** ** ***** *** ********* for ********* ** *** ****** ** critical ***** ** *** ******, ** possibly **** *** ****** **** * botnet ******, ****** ** ******* ******* should ****** **** *** *** ******* root ********* *****, ** ***** **** passwords.
UPDATE **** **
******* *** ******* ******* ******** *** the ******** ******. ******** *** ** found ** *******'* ******* ****, *** ******** **** **** * "2017.07" ****.
Comments (1)
Brian Karas
Jul 25, 2017