Axis Patches 7 Critical Vulnerabilities in 386 Devices

According to a security advisory published by Axis Communications under the ID ACV-128401, 7 vulnerabilities have been detected in the Axis Camera Network which allow remote command execution. The vulnerabilities have been allotted CVE labels; they are: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663, and CVE-2018-10664. CVE-2018-10658 lends itself to a memory corruption issue in multiple models of the Axis IP Cameras which causes a denial of service crash response originating from a code in the shared object. CVE-2018-10659 addresses another memory corruption issue causing a DoS crash by sending a crafted command which recalls the UND undefined ARM instruction. CVE-2018-10660 describes a shell command injection vulnerability. CVE-2018-10661 described a bypass of access control vulnerability. CVE-2018-10662 describes an exposed insecure interface vulnerability. CVE-2018-10663 describes an incorrect size calculation issue within the system. Lastly, CVE-2018-10664 describes a generic memory corruption issue in the httpd process of multiple models of the Axis IP Cameras.

The vulnerabilities have not been analyzed by CVE MITRE yet and are still pending CVSS 3.0 grades, but Axis reports that when exploited in combination, the risk posed is critical. According to the risk assessment in the published report, an attacker must gain network access to the device to exploit the vulnerabilities, but s/he does not need any credentials to gain this access. As per the assessment, devices are at risk proportional to how exposed they are. Internet-facing devices exposed via router port-forward are at high risk as to where devices on a protected local network are on a relatively lower risk of exploit.

Axis has provided a full list of the affected products and has also released a patch update for the firmware which users are urged to upgrade to in order to prevent exploitation of these vulnerabilities. In addition to this, users are also recommended to not expose their devices to Internet port-forwarding setups directly and are advised to use the AXIS Companion application for Windows, Android, and iOS which provides safe access to the footage remotely. Internal IP table using IP filtering application is also suggested to mitigate the risk of future such vulnerabilities in a preventive manner.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.