Firmware Updates Released for Security Camera Dumpster Fire

Geutebrück cameras

Firmware updates are available for a wide range of security flaws that are bound to cause a lot of problems on the IoT landscape.

The vulnerabilities affect Geutebrück-made IP-based security cameras, but the researchers who uncovered the flaws suspect the same vulnerable firmware might have been used for IP cameras sold by other vendors such as Ganz, Cap, Visualint, THRIVE Intelligence, and UDP Technology.

This is only speculation because researchers were able to confirm that the flaws affect Geutebrück G-Cam/EFD-2250 and Topline TopFD-2125 IP cameras only.

Both products are end-of-life, but Geutebrück released firmware version for the more recent G-Cam series (that is bound to still be deployed) to address the reported issues. The firmware update is available on the vendor’s website.

All flaws are critical-level, easy to exploit, and dangerous

Security researchers find security bugs in routers, IP cameras, and other smart devices on a regular basis these days, but the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has decided to issue an alert detailing these flaws due to their severity. All vulnerabilities have high severity scores ranging from 8.3 to 9.8 (out of a maximum of 10).

ICS-CERT experts who reviewed the original findings —by security researchers Davy Douhine of RandoriSec and Nicolas Mattiocco of Greenlock— say these flaws are remotely exploitable via the Internet and require a low skill level from the attacker to exploit.

Vulnerabilities include a wide range of flaws, rarely seen in the same device at the same time, such as an SQL injection, Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), improper authentication, and improper access control.

“Successful exploitation of these vulnerabilities could lead to proxy network scans, access to a database, adding an unauthorized user to the system, full configuration download including passwords, and remote code execution,” said ICS-CERT in an advisory published yesterday.

These vulnerabilities are the ideal cannon fodder that help IoT botnets stay alive. There is no public exploit code available online, but this is only a matter of time, as exploit code is almost always published a few days after major vulnerabilities are disclosed.

Experts recommend device owners to ensure that these IP cameras —Geutebrück and others— are not accessible from the Internet without a firmware update.

CVE CVSS Score Vulnerability
CVE-2018-7512 8.8 A cross-site scripting vulnerability has been identified, which may allow remote code execution.
CVE-2018-7516 8.3 A server-side request forgery vulnerability has been identified, which could lead to proxied network scans.
CVE-2018-7520 9.8 An improper access control vulnerability has been identified, which could allow a full configuration download, including passwords.
CVE-2018-7524 8.8 A cross-site request forgery vulnerability has been identified, which may allow an unauthorized user to be added to the system.
CVE-2018-7528 9.1 An SQL injection vulnerability has been identified, which may allow an attacker to alter stored data.
CVE-2018-7532 9.8 Unauthentication vulnerabilities have been identified, which may allow remote code execution.