Sony addressed two remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code on affected devices.
The first vulnerability, tracked as CVE-2018-3937, is a command injection issue that affects the measurementBitrateExec features implemented in the IPELA E Series Network Camera.
The vulnerability was reported by the researchers Cory Duplantis and Claudio Bozzato from Cisco Talos. An attacker could execute arbitrary code by sending specially crafted HTTP GET request to vulnerable devices.
“An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.
The experts explained that the devices fail to check on the server address while parsing the input measurement string. The attacker can provide any string as the server address and it will be executed via system.
“While parsing the input measurement string, there isn’t a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address,” continues the experts.
The second issue, tracked as CVE-2018-3938, is a stack buffer overflow that resides in the 802dot1xclientcert.cgi functionality of the Sony IPELA E Series Camera products.
“An exploitable stack buffer overflow vulnerability exists in the “802dot1xclientcert.cgi” functionality of Sony IPELA E Series Camera. A specially crafted POST request can cause a stack buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.
The vulnerability could be exploited by sending specially crafted POST request.
“A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability,” continues the experts.
The 802dot1xclientcert.cgi component is “designed to handle everything related to certificate management for 802.1x.”
The system fails to check the strlen length of the incoming data that is directly copied to a local buffer via memcpy. This means that the attacker can provide content to trigger the stack-based buffer overflow that could allow the attacker to remotely execute commands on the affected device.
Both vulnerabilities effects Sony IPELA E series G5 firmware 1.87.00, the tech giant released an update last week to address them.