Vulnerability Spotlight: Foscam IP Video Camera Firmware Recovery Unsigned Image Vulnerability

This vulnerability was discovered by Claudio Bozzato of Cisco Talos.

Executive Summary

The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for a variety of uses, including as a home security monitoring device. Talos recently identified 32 vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details of in two blog posts here and here. In continuing our security assessment of these devices, Talos has discovered an additional vulnerability. In accordance with our coordinated disclosure policy, Talos has worked with Foscam to ensure that this issue has been resolved and that a firmware update is made available for affected customers. This vulnerability could be leveraged by an attacker to gain the ability to completely take control of affected devices.

Vulnerability Details

Foscam IP Video Camera Firmware Recovery Unsigned Image Vulnerability (TALOS-2017-0378 / CVE-2017-2871)

Foscam C1 HD Indoor cameras provide multiple ways to recover from firmware corruption without requiring physical device access. One of the ways allows for the hosting of firmware images on a TFTP server. When the device reboots, it will look for a TFTP server present on the same subnet as the device. An attacker with access to the same subnet as the affected device could leverage this functionality to perform a firmware upgrade on the device without requiring authentication. This could be used to replace the device’s firmware with a specially crafted image, and result in complete device compromise. TALOS-2017-0378 has been assigned CVE-2017-2871. For additional information, please see the advisory here.

Versions Tested

Talos has tested and confirmed that the following Foscam firmware versions are affected:

Foscam Indoor IP Camera C1 Series
System Firmware Version: 1.9.3.18
Application Firmware Version: 2.52.2.43
Plug-In Version: 3.3.0.26

Conclusion

One of the most commonly deployed IP cameras is the Foscam C1. In many cases, these devices may be deployed in sensitive locations. They are marketed for use in security monitoring, and many people use these devices to monitor their homes, children and pets remotely. As such, it is highly recommended that the firmware running on these devices be kept up-to-date to ensure the integrity of the devices, as well as the confidentiality of the information and environments that they are monitoring. Foscam has released a firmware update, available here, to resolve this issue. Users of affected devices should update to this new version as quickly as possible to ensure that their devices are not vulnerable.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43559