Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks

Author: Brian Karas, Published on Dec 12, 2017

The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by US DHS ICS-CERT, registering in at a 9.8 out of 10 on the CVSS scale, just under Hikvision's perfect 10 for their IP camera backdoor.

IPVM spoke with Clinton Mielke, the researcher who discovered the vulnerability, about his discovery, how it can be exploited, and the potential for it to become the basis of a new Mirai-style botnet.

*** ******* ************ ***** ******** **** ********* *********** *** ******* ***** ****** ********* * *** ******** *************, ********* ** ** *** ***-****, registering ** ** * *.* *** ** ** ** *** CVSS *****, **** **************'* ******* ** *** ***** ** ****** ********.

**** ***** *********** ******, *** ********** *** ********** *** *************, ***** *** *********, how ** *** ** *********, *** *** ********* *** ** to ****** *** ***** ** * *** *****-***** ******.

[***************]

Vulnerability *******

* ***** ******** ****** ********************* ******* ******** ******* *** *********, ******** *** ********* *** ********* ** ******* ***** *******, or *********** **** **** **** ******* *** * *** ******.

*** ************* *** ** ********* ** ******* ****, *** **** direct ******** ********* ** ****** *** ****** (******* * ****** of ******* *** **** ******) **** * ****** *** *******. While * ******** **** ** ******** ******* *** ******** ******** has *** *** **** ********, *** ********** ****** ** ********* affects ***** ******, **** **** ****** ********. *** ************* ** linked ** ********** **** ******* ********'* "*************** ***" *********.

***-**** ***** **** * *.*/**, ********* *** *** **** ** exploit *** ******* ** ** ********* ********.

No ***** ** ******* ********

****** **** ** **** *** **** ** ******* ***** ** concept **** ******* ******** **** ** ******** *** ************* ** discovered. ** *** ***** **** *** ****** ******** ******** ******* an *********** **** ****** ** **** ** *** ******** *** the *** *****, ***** *** ** **** **** * ****** curl ** **** *******, ****** ** ****** **** ** ********.

Botnet *********

*** ********** ******** **** ************* *** *** ********* ** ** built **** ** ****** **** *********/****** *************, ***** ***** ** the ***** *** ******** * *** ******. **** ***** ******* additional ******, ******* ******** ********, **** ** *****, **** ***** that ********** ***** ****** ******* *** ** ********* *** *****-*** types, ****** ** ****** ****** **** ********* **** ******* **** vulnerability *******, *** **** ****** ****** ** ** ** *** possible.

No ******** **

******** *** *** ********** ** ******** **** *** ********** *** IPVM ** ******* ** **** *********. ****, ** **** ** available **** ******** ** **** **** ** ******* ** ******** models *** ******* ******** ************.

Brands ********

******* ******** ********* ***** ** ****, **** ************* ******* * wide ******* ** ******. * ****** ** ****** ****** ******** brands/web ********** *** ***** *** *************** ******. ***** **** **** relatively ***** ******, **** ****** *****, **** ***********, * ***** ***** ******** ***, **** *****.


Shared ******* - ****** ***** ************* ********

*** ************* ** ****** ** * ******* **** *** ********** says ** **** ** ************* ******* ********, ******** ******* ** other ************* ***** ******** ** ****. **** *** ***** **** incentive ** ********* ** ******* **** ************* ** ********* ** it *** ** **** *** ****** ** ****** ** ******* purposes. ********* ** *** **********, ***** ******** *** *** ****** to ***** **** *******/*************, ***** ** ***** ** ******* ***** units.

Comments (6)

***-**** ***** **** * *.*/**, ********* *** *** **** ** exploit *** ******* ** ** ********* ********.

****, *** **** *** ******* ** *******, *.* ***** * bit **** *** ********* ****, ** *** ** *****, *** only ****** *** ******.

******** **** **** *** ***** ** *******, ** **** ****** to ****** **** *** ********** *** ******* ***** ** **** degree ** ****** *** ************* ******* *******.

***** *** **** **** *************** **** ***** **** * ******** but *** ** ***** *****, ** ** ***** *********.

*** ****** ***** ********* ** ***-****. ***** ****** *** *** to **.

*** **** ****:

********** ************ ** **** *********************** *** ****** ** ****** *** ****** ** * **** vulnerable ***** ** ***** ****** ** **********.

***

*** *****-***** ****** ******** ************* *** **** **********, ***** *** allow ** ******** ** ******* **** ******** ** ***** *** device. ***** *********, *** ****** ******** ****** ** * **** vulnerable ***** ** ***** ****** ** **********.

**** **** **** **** ****** ****************** ***** **** ****** *******?

*** ******* ****'* ** **** ** *** ********** **** ******* the ******, ** ** *** ********* ** **. ** *** camera *** ****** ******* ** *******, **** ****** **** ** open **** ** *******.

...**** ******* *** ******...

** **** ****, ****, *** ******* ***** ** ** ***, in ********** *** *************** *** ********* *******:

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Power

Alarm.com Business Market Expansion on Apr 13, 2018
Alarm.com has millions of subscribers, but the company has traditionally been mostly a residential/home focused offering.  ADC's new Smart Business...
Axis Launches Mini Concealed IR PTZ on Apr 11, 2018
Axis has been a laggard in releasing IR PTZs. While the company released a laser focus PTZ (the Q6155-E tested) until now Axis has had no PTZs with...
ISC West 2018 Access Control Rundown on Apr 06, 2018
For ISC West 2018, what is new and interesting in access control?  This rundown will bring you up to speed on the exhibitors, what they are...
Owl Car Cam Tested - Disappoints on Mar 30, 2018
With $18 million in VC funding, and led by the former product lead for the iPod and the VP of Engineering of Dropcam, Andrew Hodge, hopes are high...
Wireless Networking For Video Surveillance Guide on Mar 29, 2018
Wireless networking is a niche in video surveillance applications, but it can be a difficult one to understand with proper wireless design,...
Network Racks For Surveillance Guide on Mar 21, 2018
In this guide, we look at network rack infrastructure, one of the fundamentals of IP video surveillance. Inside, we cover: What is a rack unit...
Rack Mounting NVRs Tutorial on Mar 14, 2018
Rack mounting recorders is common in professional systems, but manufacturers are making it difficult, with simple design failures causing multiple...
PoE for IP Video Surveillance Guide on Mar 08, 2018
This guide provides comprehensive explanations of the elements in selecting and using Power Over Ethernet with IP cameras, covering: PoE vs Low...
Cellular (4G / LTE / 5G) For Video Surveillance Guide on Mar 06, 2018
In this report, we explain using cellular for video surveillance including: 4G vs LTE vs 5G 4G standards 5G future Advantage: Placing cameras...
Top Video Surveillance Service Call Problems (Statistics) on Feb 28, 2018
In our most recent statistics series, over 150 integrators told IPVM the most common problem their customers have with their video systems....

Most Recent Industry Reports

Chinese Manufacturer Kickstarter Campaign Huge Success (EverCam) on Apr 23, 2018
In a week, a Chinese manufacturer's expertly done Kickstarter campaign has received $1.4 million in pledges, an incredible amount for a video...
Favorite Biometrics 2018 on Apr 23, 2018
Biometrics are on the rise, or at least integrator opposition to them is declining, according to new IPVM integrator statistics.   Almost half of...
Dahua and Hikvision Win Over $1 Billion In Government-Backed Projects In Xinjiang on Apr 23, 2018
Dahua and Hikvision have won well over $1 billion worth of government-backed surveillance projects in China’s restive Xinjiang province since 2016,...
May 2018 Camera Course on Apr 20, 2018
Save $50 on early registration until this Thursday, the 26th. Register now (save $50) for the Spring 2018 Camera Course This is the only...
Global Real-Time Video Surveillance - EarthNow on Apr 20, 2018
A new company, EarthNow, with backing from Bill Gates, Airbus and more, is claiming that: Users will be able to see places on Earth with a delay...
Dedicated Vs Converged Access Control Networks (Statistics) on Apr 20, 2018
Running one's access control system on a converged network, with one's computers and phones, can save money. On the other hand, hand, doing so can...
April 2018 IP Networking Course on Apr 19, 2018
This is the last chance to register for our IP Networking course. Register now. NEW - 2 sessions per class, 'day' and 'night' to give you double...
Rare Video Surveillance Fundraising - Verkada $15 Million on Apr 19, 2018
Fundraising in video surveillance (and the broader physical security market) has been poor recently. Highlights are few and far in between...
'Best In Show' Fails on Apr 19, 2018
ISC West's "Best In Show" has failed. For more than a decade, it has become increasingly irrelevant as the selections exhibit a cartoon level...
Security Camera Cleaning Frequency Statistics on Apr 18, 2018
150+ integrators told IPVM how often they clean cameras on customer's sites and why.  Inside we examine their answers and break down feedback...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact