Vicon Network Camera Authentication Bypass

2016.07.31
Credit: Reginald Dodd
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

TITLE Vicon Network Cameras - Authentication Bypass AUTHOR Reginald Dodd / Information Security Engineer https://www.linkedin.com/in/reginalddodd VENDOR Vicon Industries Inc. http://www.vicon-security.com http://www.vicon-security.com/products/network-cameras/ DESCRIPTION Remote unauthenticated users can add an administrator, operator, or guest accounts to various Vicon network cameras by navigating directly to a specific URL. The URL is missing authentication and gives you direct access to the form that creates new accounts. URL: http://<IP>/system/user_pop.php?method=add&ptz_use=0 . With an account, a user can view the live video and alter camera settings. AFFECTED PRODUCTS AND VERSIONS Confirmed in products: V920D, V922D, and V-CELL-HD It is assumed that many more products are affected because the issue was tracked to a single web template that is used in many products of their network cameras. After referencing this issue with the vendor, the vendor supplied a firmware release note (Dated March 2015) that showed many products and their possible vulnerable firmware versions and the fixed firmware versions: V-CELL-IP; V660V-P (Europe) - Version T2_V2.7.3 and prior V920D and V921D - Version T4_V2.1.6 and prior V922D, V923D, V-CELL-HD, V921B, V922B, V923B, CE202D-N and CE202D-WN - Version T6_V1.9.4 and prior V905-CUBE - Version T5_V2.4.3 and prior CE102D-NIR and CE102B-NIR - Version T8_V1.4.3 and prior SN663V, SN680D-WNIR - Version X1_1.4.9 and prior SN663V-A, SN680D-A-WNIR - Version X2_1.2.1 and prior SOLUTION Check this url, http://<IP>/system/user_pop.php?method=add&ptz_use=0, of your ip camera(s). If you can add new accounts with no basic authentication prompt, then update the firmware. A fix is available. Users have to manually update each camera. REFERENCES http://www.vicon-security.com/Software/Vicon_Camera/V9xxCameras_3-15_Firmware-updated_Release_Notes.pdf

References:

http://www.vicon-security.com/Software/Vicon_Camera/V9xxCameras_3-15_Firmware-updated_Release_Notes.pdf


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top