CERTVU:355151ACTi cameras models from the D, B, I, and E series contain multiple security vulnerabilities
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.8%
Overview
According to the reporter, ACTi devices including D, B, I, and E series models using firmware version A1D-500-V6.11.31-AC are vulnerable to several issues.
Description
According to the reporter, multiple ACTi devices, including the D, B, I, and E series models, that use firmware version A1D-500-V6.11.31-AC are vulnerable to several issues. Other models may be affected.
CWE-306**: Missing Authentication for Critical Function -**CVE-2017-3184
The issue is due to the device failing to properly restrict access to the factory reset page. An unauthenticated, remote attacker can exploit this vulnerability by directly accessing the <http://x.x.x.x/setup/setup_maintain_firmware-default.html> page. This will allow an attacker to perform a factory reset on the device, leading to a denial of service condition or the ability to make use of default credentials (CVE-2017-3186).
CWE-598**: Information Exposure Through Query Strings in GET Request -**CVE-2017-3185
The web application uses the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser’s history, referrers, web logs, and other sources.
CWE-521**: Weak Password Requirements**** -******CVE-2017-3186
Device uses non-random default credentials across all devices. A remote attacker can take complete control of a device using default admin credentials.
For more information, please read the researcher’s security advisory.
Impact
A remote unauthenticated attacker may be able to perform a factory reset of the device, gain access to sensitive information such as user account name or password, or utilize a known default root admin credential across all devices.
Solution
The CERT/CC is currently unaware of a practical solution to this problem.
Vendor Information
355151
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
ACTi Corporation Affected
Notified: January 20, 2017 Updated: March 07, 2017
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 8.5 | E:POC/RL:U/RC:UR |
| Environmental | 6.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <http://www.acti.com/>
- <https://cwe.mitre.org/data/definitions/306.html>
- <https://cwe.mitre.org/data/definitions/521.html>
- <https://cwe.mitre.org/data/definitions/598.html>
Acknowledgements
Thanks to Mandar Jadhav of the Qualys Vulnerability Signature/Research Team for reporting these vulnerabilities.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2017-3184, CVE-2017-3185, CVE-2017-3186 |
|---|---|
| Date Public: | 2017-03-07 Date First Published: |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.8%