ID CVE-2018-4017 Type cve Reporter cve@mitre.org Modified 2019-05-15T14:11:00
Description
An exploitable vulnerability exists in the Wi-Fi Access Point feature of the Roav A1 Dashcam running version RoavA1SWV1.9. A set of default credentials can potentially be used to connect to the device. An attacker can connect to the AP to trigger this vulnerability.
{"talos": [{"lastseen": "2020-07-01T21:25:29", "bulletinFamily": "info", "cvelist": ["CVE-2018-4017"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0688\n\n## Anker Roav A1 Dashcam Wifi AP Default Credential Vulnerability\n\n##### May 13, 2019\n\n##### CVE Number\n\nCVE-2018-4017\n\n### Summary\n\nAn exploitable vulnerability exists in the Wi-Fi Access Point feature of the Roav A1 Dashcam running version \u201cRoavA1_SW_V1.9.\u201d A set of default credentials can potentially be used to connect to the device. An attacker can connect to the AP to trigger this vulnerability.\n\n### Tested Versions\n\nAnker Roav A1 Dashcam RoavA1_SW_V1.9\n\n### Product URLs\n\n<https://goroav.com/products/roav-dash-cam-a1>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-798: Use of Hard-coded Credentials\n\n### Details\n\nThe Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that they can toggle settings and download videos from the dashcam, along with a host of other features. In order to do this, users must first enable the \u201cWi-Fi AP\u201d setting manually on the dashcam, and then connect to the \u201cRoav_A1_\u201d SSID, with the default password of \u201cgoroavcam.\u201d\n\nFrom here, it\u2019s not required that the user changes the default password, although it is an available option. As such, the combination of this default credential and the manual start of the Wi-Fi AP itself serve as the only means of protection from attackers (due to the lack of authentication anywhere else).\n\n### Timeline\n\n2018-10-29 - Vendor Disclosure \n2018-11-02 - 2nd vendor contact \n2018-11-05 - Vendor acknowledged & created ticket reference \n2019-01-03 - 60 day follow up; Vendor closed ticket and advised issue under review with Engineering team; Talos requested point of contact for Engineering team \n2019-03-06 - 90 + day follow up \n2019-03-27 - Final notice of public disclosure \n2019-04-18 - Suggested public disclosure date (171 days after initial disclosure) 2019-05-13 - Public Release\n\n##### Credit\n\nDiscovered by Lilith of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0698\n\nPrevious Report\n\nTALOS-2018-0687\n", "edition": 4, "modified": "2019-05-13T00:00:00", "published": "2019-05-13T00:00:00", "id": "TALOS-2018-0688", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0688", "title": "Anker Roav A1 Dashcam Wifi AP Default Credential Vulnerability", "type": "talos", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-05-17T10:19:09", "bulletinFamily": "blog", "cvelist": ["CVE-2018-4014", "CVE-2018-4016", "CVE-2018-4017", "CVE-2018-4018", "CVE-2018-4023", "CVE-2018-4024", "CVE-2018-4025", "CVE-2018-4026", "CVE-2018-4027", "CVE-2018-4028", "CVE-2018-4029"], "description": "[](<http://3.bp.blogspot.com/-d2C7sxRpxBs/XNl3zEnfwcI/AAAAAAAAGWk/om9qPxzbA_MXU-52GWhUI8xmqka2pfgMgCK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg>)_ \n_ \n_Lilith Wyatt of Cisco Talos discovered these vulnerabilities._ \n\n\n### Executive Summary \n\nCisco Talos is disclosing multiple vulnerabilities in the Anker Roav A1 Dashcam and the Novatek NT9665X chipset. The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that the users can toggle settings and download videos from the dashcam, along with a host of other features. These vulnerabilities could be leveraged by an attacker to gain arbitrary code execution on affected devices. \n \nIn accordance with our coordinated disclosure policy, Cisco Talos worked with Novatek to ensure that some of these issues are resolved and that an update is available for affected customers. However, we were unable to contact Anker, therefore, TALOS-2018-0685, TALOS-2018-0687 and TALOS-2018-0688 remain unpatched. \n \n\n\n### Vulnerability Details\n\n**Anker Roav A1 Dashcam WifiCmd Code 9999 execution vulnerability (TALOS-2018-0685/CVE-2018-4014)** \n \nAn exploitable code execution vulnerability exists in a Wifi Command of the Roav A1 Dashcam. A specially crafted packet can cause a stack-based buffer overflow. An attacker can send a packet to trigger this vulnerability, resulting in code execution on an affected device. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0685>). \n \n**Anker Roav A1 Dashcam stack overflow code execution vulnerability (TALOS-2018-0687/CVE-2018-4016)** \n \nThe URL-parsing functionality of the Roav A1 Dashcam is vulnerable to code execution. A specially crafted packet can cause a stack-based buffer overflow. An attacker can send a packet to trigger this vulnerability, resulting in code execution on an affected device. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0687>). \n \n**Anker Roav A1 Dashcam Wifi AP default credential vulnerability (TALOS-2018-0688/CVE-2018-4017)** \n \nThe Roav A1 Dashcam contains a default credential that can be exploited. The device uses a default password and does not require the user to change it. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0688>). \n \n**Novatek NT9665X HTTP upload firmware update vulnerability (TALOS-2018-0689/CVE-2018-4018)** \n \nAn exploitable firmware update vulnerability exists in the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version \"RoavA1_SW_V1.9\". The HTTP server allows for arbitrary firmware binaries to be uploaded which will be flashed upon next reboot. An attacker can send an HTTP PUT request or upgrade firmware request to trigger this vulnerability. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0689>). \n \n**Novatek NT9665X XML_UploadFile path overflow code execution vulnerability** \n**(TALOS-2018-0695/CVE-2018-4023)** \n \nAn exploitable code execution vulnerability exists in the `XML_UploadFile` WiFi command of the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version \"RoavA1_SW_V1.9\". A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0695>). \n \n**Novatek NT9665X XML_GetThumbNail denial-of-service vulnerability (TALOS-2018-0696/CVE-2018-4024)** \n \nAn exploitable denial-of-service vulnerability exists in the thumbnail display functionality of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version \"RoavA1_SW_V1.9\". A specially crafted packet can cause a null pointer to dereference, resulting in a device reboot. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0696>). \n \n**Novatek NT9665X XML_GetRawEncJpg denial-of-service vulnerability (TALOS-2018-0697/CVE-2018-4025)** \n \nAn exploitable denial of service vulnerability exists in the `XML_GetRawEncJpg` WiFi command of the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version \"RoavA1_SW_V1.9\". A specially crafted packet can cause an invalid memory to dereference, resulting in a device reboot. An attacker can send a packet to trigger this vulnerability. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0697>). \n \n**Novatek NT9665X XML_GetScreen Strncmp denial-of-service vulnerability (TALOS-2018-0698/CVE-2018-4026)** \n \nAn exploitable denial-of-service vulnerability exists in the `XML_GetScreen` Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version \"RoavA1_SW_V1.9.\u201d A specially crafted set of packets can cause an invalid memory to dereference, resulting in a device reboot. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0698>). \n \n**Novatek NT9665X XML_UploadFile WifiCmd denial-of-service vulnerability (TALOS-2018-0699/CVE-2018-4027) ** \n \nAn exploitable denial-of-service vulnerability exists in the `XML_UploadFile` Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version \"RoavA1_SW_V1.9.\u201d A specially crafted packet can cause a semaphore deadlock, which prevents the device from receiving any physical or network inputs. An attacker can send a specially crafted packet to trigger this vulnerability. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0699>). \n \n**Novatek NT9665X HFS overwrite denial-of-service vulnerability (TALOS-2018-0700/CVE-2018-4028)** \n \nAn exploitable firmware update vulnerability exists in the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version \"RoavA1_SW_V1.9.\u201d The HTTP server could allow an attacker to overwrite the root directory of the server, resulting in a denial of service. An attacker can send an HTTP POST request to trigger this vulnerability. When this denial-of-service vulnerability is paired up with TALOS-2018-0699, the Anker Dashcam is completely disabled until the battery runs out. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0700>). \n \n**Novatek NT9665X HFS Recv buffer overflow code execution vulnerability (TALOS-2018-0701/CVE-2018-4029) ** \n \nAn exploitable code execution vulnerability exists in the HTTP request-parsing function of the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version \"RoavA1_SW_V1.9.\u201d A specially crafted packet can cause an unlimited and arbitrary write to memory, resulting in code execution. For additional information, please see the advisory [here](<http://www.talosintelligence.com/reports/TALOS-2018-0701>). \n\n\n### Coverage\n\nThe following SNORT\u24c7 rules detect attempts to exploit TALOS-2018-0685, TALOS-2018-0699, TALOS-2018-0698, TALOS-2018-0697, TALOS-2018-0696, and TALOS-2018-0695. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**Snort Rules:** 40866, 48250, 48251, 48253, 48254, 48255 \n\n\n### Versions Tested\n\nTalos has tested and confirmed that the following Roav A1 Dashcam versions are affected: Anker Roav A1 Dashcam version \"RoavA1_SW_V1.9\" and the Novatek NT9665X chipset firmware. \n \n \n\n\n", "modified": "2019-05-13T07:04:35", "published": "2019-05-13T07:04:35", "id": "TALOSBLOG:99A2F64B0ED6FF664FE86493335C01FC", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/Viua7FSt2G4/vulnerability-spotlight-multiple.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple vulnerabilities in the Roav A1 Dashcam", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
