Multiple Vulnerabilities in Pelco Sarix Professional Could Allow for Code Execution

ITS Advisory Number: 
2018-031
Date(s) Issued: 
Wednesday, March 21, 2018
Subject: 
Multiple Vulnerabilities in Pelco Sarix Professional Could Allow for Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Pelco Sarix Professional IP cameras, the most severe of which could allow for code execution. Pelco Sarix Professional is a series of professional IP cameras used indoors and outdoors. Successful exploitation of these vulnerabilities could allow for an attacker to execute code, bypass security restrictions, gain access to sensitive information, and perform unauthorized actions.  

Systems Affected: 
• Pelco Sarix Professional cameras with firmware versions prior to 3.29.67
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Pelco Sarix Professional IP cameras, the most severe of which could allow for code execution. Details of the vulnerabilities are as follows:

  • An information disclosure vulnerability in which retrieving specially crafted URLs without authentication can reveal sensitive information to an
  • attacker. (CVE-2018-7227)
  • An authentication bypass vulnerability which could allow an unauthenticated, remote attacker to bypass authentication and get administrator privileges. (CVE-2018-7228)
  • An authentication bypass vulnerability which could allow an unauthenticated, remote attacker to bypass authentication and gain administrator privileges due to hard coded credentials. (CVE-2018-7229)
  • An XML external entity vulnerability in the import.cgi of the web interface. (CVE-2018-7230)
  • A command execution vulnerability caused by the lack of validation of the shell meta characters with the value of 'system.opkg.remove.' (CVE-2018-7231)
  • A command execution vulnerability caused by the lack of validation of the shell meta characters with the value of 'network.ieee8021x.delete_certs.' (CVE-2018-7232)
  • A command execution vulnerability caused by the lack of validation of the shell meta characters with the value of 'model_name' or 'mac_address.' (CVE-2018-7233)
  • An arbitrary file download caused by the lack of validation of the SSL certificate file. (CVE-2018-7234)
  • A command execution vulnerability caused by the lack of validation of the shell meta characters with the value of 'system.download.sd_file.' (CVE-2018-7235)
  • An authentication bypass vulnerability that could enable SSH service caused by the lack of authentication for /login/bin/set_param. (CVE-2018-7236)
  • An arbitrary file delete vulnerability that could allow a remote attacker to delete arbitrary system files caused by the lack of validation of the /login/bin/set_param to the file name with the value of 'system.delete.sd_file.' (CVE-2018-7237)
  • A buffer overflow vulnerability within the web-based GUI of Sarix Pro that could allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2018-7238)

Successful exploitation of these vulnerabilities could allow for an attacker to execute code, bypass security restrictions, gain access to sensitive information, and perform unauthorized actions.  

Actions: 
  • After appropriate testing, immediately apply firmware updates provided by Pelco to vulnerable systems.
  • Verify no unauthorized system modifications have occurred before applying the patch.
  • Where possible, place the cameras behind a firewall and limit external network access to affected products. 
  • Apply the Principle of Least Privilege to all systems and services.