Security researchers just reported three security vulnerabilities (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988) in Axis video products, that could be exploited in various attacks against businesses.
The flaws are located in Axis IP video surveillance systems and could allow arbitrary code execution.
CVE-2021-31986, CVE-2021-31987, CVE-2021-31988
The vulnerabilities were discovered by Nozomi Networks Labs researchers while examining Axis Companion Recorded, a compact network video recorder (NVR) storing IP surveillance video from attached cameras.
During their analysis, the researchers uncovered the following issues:
- Heap-based buffer overflow (CVE-2021-31986, CVSSv3 6.7)
- Improper recipient validation in network test functionalities (CVE-2021-31987, CVSSv3 4.1)
- SMTP header injection in email test functionality (CVE-2021-31988, CVSSv3 5.5)
Attacks based on the vulnerabilities require user interaction – the potential victim, logged into the device, should visit a specifically crafted webpage and click on a malicious link. In other words, exploiting the flaws doesn’t require specific expertise, the researchers pointed out.
Mitigation
Axis is currently working on releasing patches for all affected devices:
CVE-2021-31986 and CVE-2021-31988
AXIS OS Active track 10.7
AXIS OS 2016 LTS track 6.50.5.5
AXIS OS 2018 LTS track 8.40.4.3
AXIS OS 2020 LTS track 9.80.3.5CVE-2021-31987
AXIS OS Active track 10.8
AXIS OS 2016 LTS track 6.50.5.5
AXIS OS 2018 LTS track 8.40.4.3
AXIS OS 2020 LTS track 9.80.3.5
The company urges users to download and install the latest firmware version from the official Axis website to protect their devices from cyberattacks.
This is not the first time security researchers uncover security issues in Axis cameras. A few years ago, several critical vulnerabilities were uncovered in 400 Axis camera models. The flaws could allow hackers to take full control over the affected camera or entangle them in botnets.
VDOO researchers unearthed the vulnerabilities that could be compromised via the IP address of the camera. As a result hackers could spy on any audio or video records.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: