Researchers at RandoriSec have found serious vulnerabilities in the firmware provided by UDP Technology to Geutebrück and many other IP camera vendors. According to the researchers the firmware supplier UDP Technology fails to respond to their reports despite numerous mails and LinkedIn messages.

Because of this unwillingness of UDP Technology to respond, RandoriSec worked with Geutebrück, one of the camera vendors, to correct the 11 authenticated RCE vulnerabilities and a complete authentication bypass that they found in the firmware.

History lessons

RandoriSec had found vulnerabilities in previous versions of the UDP technology firmware and knew from that previous experience that they could expect to be stonewalled when they reported the new vulnerabilities. UDP Technology provides firmware for several IP camera manufacturers, like:

  • Geutebruck
  • Ganz
  • Visualint
  • Cap
  • THRIVE Intelligence
  • Sophus
  • VCA
  • TripCorps
  • Sprinx Technologies
  • Smartec
  • Riva
  • and the camera’s they sell under their own brand name.

CISA

The Cybersecurity & Infrastructure Security Agency issued an advisory about the two Geutebrück IP camera types that were confirmed to be vulnerable, the G-Cam E2 and G-Code.

The CISA advisory includes the CVE identifiers for the found vulnerabilities. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

CVE-2021-33543 Missing authentication: allows unauthenticated remote access to sensitive files due to default user authentication settings.

CVE-2021-33544 RCE: the affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33545 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the counter parameter which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33546 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the name parameter, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33547 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the profile parameter which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33548 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33549 RCE: The affected product is vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33550 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33551 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33552 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33553 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

CVE-2021-33554 RCE: The affected product is vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

Impact of the vulnerabilities

As you can imagine, the combination of unauthorized access to sensitive files combined with that many RCE vulnerabilities creates a treasure trove for attackers, and finding an attack method that works for you is trivial. And it should not come as a surprise that public exploits are available.

Even an attacker having access to your live-stream can be bad enough, but an attacker that has full control of your IP camera is even worse. And, what’s more, a combination of the unauthorized access and some of the RCE vulnerabilities can allow an attacker to achieve root on the IP cameras that are running on the vulnerable firmware.

Mitigation

For the mentioned Geutebrück cameras, a patch is available (Login required) and should be installed as soon as possible. Users are urgently recommended to update to firmware Version 1.12.14.7 or later. Geutebrück worked with RandoriSec to make sure their patch fixes the vulnerabilities.

For users of other IP cameras we can not do much more than to recommend to either disable/replace the cameras and certainly query the vendors to find out whether their cameras suffer from the same vulnerabilities.

As a general advice for users of IoT devices, you can follow these CISA recommendations:

  • Change the default passwords of the cameras.
  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

Vendors of the IP cameras running UDP Technology firmware are encouraged to ask some serious questions about the development of the firmware and why UDP Technology chooses not to work with security researchers in a way that benefits all the IP camera vendors instead of only the one working with the researchers. Geutebrück users know which types are vulnerable and can remedy the vulnerabilities by installing a patch. Users of the other brands are left guessing, from reading between the lines in the RandoriSec blogpost, we fear the worst.

For a complete technical analysis of how the researchers found the vulnerabilities, you are encouraged to read the RadoriSec blog about it.