Randorisec has released a blog detailing multiple Remote Code Execution (RCE) vulnerabilities in UDP Technology’s IP camera firmware, along with Proof-of-Concept (PoC) exploit code. Some of these are unpatched from earlier firmware releases and combined with a new authentication bypass. These apply to the firmware 188.8.131.52 and earlier versions, but are patched by the newest firmware release on June 30th. In addition to selling cameras under its own brand in Asia, UDP Tech supplies for the firmware for a number of security/IP camera vendors including: Geutebruck, Ganz, Visualint, Cap, THRIVE Intelligence, Sophus, VCA, TripCorps, Sprinx Technologies, Smartec, and Riva. A root shell will allow a foothold with persistence onto the network, as well as full access to the camera’s data and ongoing video stream.
The most recent firmware release addresses these vulnerabilities and with public disclosure of the exploit code, should be prioritized in accordance with the risks these cameras present as appropriate for an organization’s risk management framework. Security cameras and other IOT devices are often overlooked as vulnerabilities and can provide significant access and information to adversaries even if appropriate network segmentations are emplaced. Automated searches such as shodan.io make identifying these potential routes easy for attackers. Cameras need to be incorporated into a robust vulnerability management and threat detection program, which includes MDR such as the services offered by Binary Defense.