Grandsteam GXV3611_HD camera is vulnerable to SQL injection

Overview

The Grandsteam GXV3611_HD is an IP network camera used for surveillance and security. The Grandsteam GXV3611_HD is vulnerable to a SQL injection attack.

Description

CWE-89**: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) -**CVE-2015-2866

The Grandstream GXV3611_HD camera with firmware of 1.0.3.6 or before does not correctly perform input validation on the username field of the telnet login. An attacker may exploit this weakness to execute a SQL injection attack on the camera’s configuration.

---

Impact

A remote unauthenticated attacker may be able to perform a SQL injection to view or modify the configuration of the device.

---

Solution

Update the firmware

Grandstream has released firmware 1.0.3.9 beta to address this issue. Consider updating your camera’s firmware as soon as possible.

---

Vendor Information

253708

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Grandstream __ Affected

Updated: June 30, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

According to the vendor, this issue has been officially resolved in the latest beta firmware (version 1.0.3.9 beta)

Vendor References

• <http://www.grandstream.com/support/firmware&gt;

CVSS Metrics

Group	Score	Vector
Base	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:N
Temporal	5	E:POC/RL:OF/RC:C
Environmental	3.8	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

<http://www.grandstream.com/support/firmware&gt;

Acknowledgements

Thanks to the Living Lab at IUPUI for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2015-2866
Date Public:	2015-07-07 Date First Published: