Brickcom IP Camera Credentials Disclosure


Publication Date: 2017-03-20
Last Update: 2017-03-20
Current Version: V3.2.3.5.6build8 (for WCB-040Af), v3.7.0.2cbuild1 (for VD-202Ne v6 and OSD-200Np 30X)

SUMMARY

The latest update for IP camera product fixes security vulnerabilities, which could allow a remote attacker to perform administrative operations under certain conditions.


AFFECTED PRODUCTS

  • WCB-040Af
  • VD-202Ne v6
  • OSD-200Np 30X


DESCRIPTION

The IP Camera product is full-featured, enterprise-grade product for security monitoring. The detailed information about the vulnerability is listed below.


VULNERABILITY CLASSIFICATION

  • IP Camera has a serial port (accessed by disassembling the unit). This serial can provide intrusion to the network.
  • User detected that non administrator user account can get the response of configuration by using CGI commands.
  • IP Camera has the default user accounts viewer and rviewer. Both of them are available to do the requests by using the API command and obtain the sensitive information such as administrator credentials.
  • IP Camera’s API command provides a set of methods available for low privilege user account. Maintenance and operation functions can be performed through the API. F.E. obtain all the users and passwords using cgi-bin/users.cgi?action=getUsers.
  • OpenVPN configuration files and passwords are accessible from camera, serial port provides easy access to profile and VPN certificates. Malicious user can use these files and create a VPN connection to other servers obtain access to the internal network.


SOLUTION

Brickcom provides the new firmware fixed the vulnerability for the affected products. Version: V3.2.3.5.6build11 (for WCB-040Af), v3.7.4.2cbuild1 (for VD-202Ne v6 and OSD-200Np 30X)

  • Add the authentication mechanism for the series port, there will be the password check and you should pass then you can access.
  • Narrow down the user privilege, there is only administrator user account.
  • Review and update all the API commands, all the API commands will work with the correct password. The API command which will only work with administrator user account.
  • To enhance the file security, the password in exported config file is null.
  • About OpenVPN function, remove the certification upload feature in web page.


ADDITIONAL RESOURCES

NA