CERT Polska, operating within the National Research Institute (NASK), has unveiled security vulnerabilities affecting Smartwares CIP-37210AT and C724IP cameras, potentially leaving countless users exposed to remote attacks. A responsible vulnerability report from Afine Team’s Michał Majchrowicz and Marcin Wyczechowski led to the disclosure, which exposed deeply troubling firmware security issue.
The core issue revolves around three distinct vulnerabilities, each posing a significant threat to user privacy and security.
Command Injection: An Open Door for Remote Control (CVE-2024-13892, CVSSv4 7.7)
First up, we have CVE-2024-13892, a high-severity command injection flaw. This vulnerability arises during the initial setup process, where users configure their cameras using a mobile app and input Access Point credentials. “This input is not properly sanitized, what allows for command injection,” CERT Polska warns.
Telnet Service and Shared Credentials: Backdoor Access (CVE-2024-13893, CVSSv4 7.5)
Next, CVE-2024-13893 reveals that these cameras, and likely others sharing the same firmware, might use identical credentials for their telnet service. This is compounded by the fact that the password hash can be extracted via physical access to the SPI connected memory. To enable telnet, an SD card with a specifically named folder is required. While this adds a small layer of complexity, it’s hardly robust security. This could allow an attacker with physical access, and some knowledge, to gain remote telnet access.
Path Traversal: Unrestricted Access to Sensitive Data (CVE-2024-13894, CVSSv4 5.9)
Finally, CVE-2024-13894 exposes a path traversal vulnerability. When connected to a mobile app, the cameras open port 10000, allowing users to download captured images by specifying file paths. However, CERT Polska discovered that “the directories to which a user has access are not limited, allowing for path traversal attacks and downloading sensitive information.” This means an attacker could potentially access any file on the device’s storage, not just the intended images.
Vendor Silence and Uncertain Patching Status
The most alarming aspect of this disclosure is the vendor’s apparent lack of response. “The vendor has not replied to reports, so the patching status remains unknown,” CERT Polska states. Furthermore, the advisory notes that “newer firmware versions might be still vulnerable, as well other products that share the same firmware (only CIP-37210AT and C724IP cameras were tested).”
What Users Should Do
Given the lack of vendor response, users of Smartwares CIP-37210AT and C724IP cameras, as well as any devices using similar firmware, should take immediate steps to mitigate the risks.
- Isolate the Cameras: If possible, place the cameras on a separate network segment to minimize the potential impact of a compromise.
- Restrict Internet Access: Block the cameras from accessing the internet if remote viewing is not essential.
- Monitor Network Traffic: Use network monitoring tools to detect any unusual activity emanating from the cameras.
- Consider Replacement: If security is paramount, consider replacing the affected cameras with models from vendors with a proven track record of timely security updates.
