Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks

By: John Honovich, Published on Dec 12, 2017

The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by US DHS ICS-CERT, registering in at a 9.8 out of 10 on the CVSS scale, just under Hikvision's perfect 10 for their IP camera backdoor.

[link no longer available]

IPVM spoke with Clinton Mielke [link no longer available], the researcher who discovered the vulnerability, about his discovery, how it can be exploited, and the potential for it to become the basis of a new Mirai-style botnet.

*** ******* ************ ***** products **** ********* *********** for *** **** ***** ****** ****** *** * *** ******** vulnerability, ********* ** ** DHS ***-****, *********** ** at * *.* *** of ** ** *** CVSS *****, **** ***** *********'* ******* ** *** their ** ****** ********.

[**** ** ****** *********]

**** ***** **** ******* ****** [link ** ****** *********], the ********** *** ********** the *************, ***** *** discovery, *** ** *** be *********, *** *** potential *** ** ** become *** ***** ** a *** *****-***** ******.

[***************]

Vulnerability *******

* ***** ******** ****** overflow ************* ******* ******** ******* and *********, ******** *** ********* for ********* ** ******* these *******, ** *********** turn **** **** ******* for * *** ******.

*** ************* *** ** exploited ** ******* ****, the **** ****** ******** attackers ** ****** *** device (******* * ****** of ******* *** **** device) **** * ****** URL *******. ***** * specific **** ** ******** devices *** ******** ******** has *** *** **** released, *** ********** ****** it ********* ******* ***** models, **** **** ****** firmware. *** ************* ** linked ** ********** **** support ********'* "*************** ***" interface.

***-**** ***** **** * 9.8/10, ********* *** *** ease ** ******* *** ability ** ** ********* remotely.

No ***** ** ******* ********

****** **** ** **** not **** ** ******* proof ** ******* **** showing ******** **** ** leverage *** ************* ** discovered. ** *** ***** **** the ****** ******** ******** sending ** *********** **** string ** **** ** the ******** *** *** web *****, ***** *** be **** **** * simple **** ** **** command, ****** ** ****** easy ** ********.

Botnet *********

*** ********** ******** **** vulnerability *** *** ********* to ** ***** **** to ****** **** *********/****** possibilities, ***** ***** ** the ***** *** ******** a *** ******. **** would ******* ********** ******, however ******** ********, **** as *****, **** ***** that ********** ***** ****** systems *** ** ********* for *****-*** *****, ****** it ****** ****** **** attackers **** ******* **** vulnerability *******, *** **** likely ****** ** ** at *** ********.

No ******** **

******** *** *** ********** to ******** **** *** researcher *** **** ** regards ** **** *********. Thus, ** **** ** available **** ******** ** this **** ** ******* to ******** ****** *** patched ******** ************.

Brands ********

******* ******** ********* ***** to ****, **** ************* affects * **** ******* of ******. * ****** on ****** ****** ******** brands/web ********** *** ***** the *************** ******. ***** many **** ********** ***** ******, some ****** *****, **** as*********, * ***** ***** ******** OEM, **** *****. 


Shared ******* - ****** ***** ************* ********

*** ************* ** ****** in * ******* **** the ********** **** ** used ** ************* ******* XiongMai, ******** ******* ** other ************* ***** ******** as ****. **** *** gives **** ********* ** attackers ** ******* **** vulnerability ** ********* ** it *** ** **** for ****** ** ****** of ******* ********. ********* ** the **********, ***** ******** did *** ****** ** share **** *******/*************, ***** on ***** ** ******* Dahua *****.

Comments (6)

ICS-CERT ranks this a 9.8/10, primarily for its ease of exploit and ability to be exploited remotely.

IMHO, and with all respect to Clinton, 9.8 seems a bit high for something that, so far at least, can only reboot the camera.

Although more work may yield an exploit, it only stands to reason that the researcher has already tried to some degree to extend the vulnerability without success.

There are many such vulnerabilities that could have a solution but one is never found, or at least announced.  

the vendor never responded to ICS-CERT.  Score sounds too low to me.

The CERT says:

Successful exploitation of this vulnerability could cause the device to reboot and return to a more vulnerable state in which Telnet is accessible.

and

The stack-based buffer overflow vulnerability has been identified, which may allow an attacker to execute code remotely or crash the device. After rebooting, the device restores itself to a more vulnerable state in which Telnet is accessible.

Does that mean that Telnet is always accessible after this reboot exploit?

The exploit demo'd as part of the submission just reboots the camera, as it was described to us. If the camera has telnet enabled by default, then telnet will be open when it reboots.

 

...just reboots the camera...

In that case, IMHO, the scoring seems to be off, in particular the Confidentiality and Integrity metrics:

 

Login to read this IPVM report.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Colombia's President Promotes Bad Hikvision Fever Camera Setup on Jun 17, 2020
Colombia's President Iván Duque has promoted a haphazard Hikvision fever...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Imron Presents Cloud Access Control on May 13, 2020
Imron presented their cloud access system, UnityIS, at the April 2020 IPVM...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Leica Launches LIDAR / Thermal / IP Camera on Mar 04, 2020
Swiss manufacturer Leica is launching what it calls a "real-time reality...
"He Is An Idiot!" Exclaims SIA Director John Mack on Mar 23, 2020
Here is another inside look into the "leaders" of the security industry. SIA...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Cisco Video Surveillance Is Dead, Long Live Cisco Meraki Video Surveillance on Feb 11, 2020
A dozen years ago much of the industry thought that Cisco was destined to...
Hikvision Illicitly Uses Back To The Future In Marketing on Jul 03, 2020
NBCUniversal told IPVM that Hikvision UK's ongoing coronavirus marketing...
Cisco Acquiring Fluidmesh on Apr 09, 2020
Cisco announced it is acquiring niche wireless manufacturer...
SafeZone Tech Presents AI Gunfire Detection on Jun 15, 2020
Safe Zone presented its AI gunfire sensor the May 2020 IPVM Startups...

Recent Reports

Huawei HiSilicon Shortage Impacts Surveillance Manufacturers on Aug 14, 2020
Huawei acknowledged problems and challenges for its HiSilicon chip business,...
Final Rule Does Not Expand Hikvision Dahua Blacklist on Aug 14, 2020
The final White House rule (200.216) has been added and contrary to the...
Taiwan Lilin NDAA Compliant Cameras Tested on Aug 13, 2020
Taiwan-based manufacturer Lilin is taking direct aim at Dahua and Hikvision...
White House Expands Dahua Hikvision Blacklist To Federal Funding [Final Rule Reverses] on Aug 13, 2020
The White House is expanding the NDAA to blacklist anyone who "uses" banned...
Actual Coronavirus Testing Options Examined on Aug 13, 2020
Fever cameras have emerged as an indirect and flawed way to test for...
Video Analytics Online Show September 2020 Opened - Axis, Avigilon, Bosch, BriefCam, Genetec, Milestone + 30 More on Aug 12, 2020
IPVM's sixth online show will feature 35+ Video Analytics companies...
The German Company Powering Many China Temperature Tablets (Heimann) on Aug 12, 2020
Many fever tablet suppliers market German-made Heimann thermal sensors while...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Access Control Course Fall 2020 - Register Now on Aug 12, 2020
IPVM offers the most comprehensive access control course in the industry....
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
Hanwha AI Analytics Camera Tested on Aug 11, 2020
Hanwha has released their Wisenet P AI camera, adding person and vehicle...
Alabama Schools Million Dollar Hikvision Fever Camera Deal on Aug 11, 2020
The Baldwin County, Alabama public schools purchased a $1 million, 144-camera...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...