BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Airlive POE/OD IP Camera Multiple Vulnerabilities

Disclosed June 12, 2013    Zeroday : 500 days

Vulnerability Description:

The affected cameras are vulnerable to a cross-site request forgery vulnerability, an information disclosure vulnerability that leads to elevation of privileges, and a denial of service vulnerability.

Vendors:

AirLive

Vulnerable Software/Devices:

Airlive POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, and POE100HD IP cameras

Vulnerability Severity:

Medium

Exploit Availability:

Publicly Available

Exploit Impact:

Cross-Site Request Forgery, Denial of Service, Elevation of Privilege
Cross-Site Request Forgery (CVE-2013-3540)
Exploitation of this vulnerability is possible via forged HTML forms, sent to a victim through a number of different attack vectors (including malicious links). Attackers who successfully exploit this vulnerability may be able to take complete control of the affected device, including the ability to change arbitrary settings, such as the username and password for administering the vulnerable device.

Elevation of Privilege via Information Disclosure (CVE-2013-3687)
Exploitation of this vulnerability will grant an attacker access to sensitive information, such as plaintext usernames, passwords, etc. These can be used by the remote attacker to elevate their privileges to one of the listed user accounts.

Denial of Service (CVE-2013-3691)
Exploitation of this vulnerability will render the web service on the affected device unresponsive for a limited time. Attackers can continue sending malicious payloads to continue the denial of service condition indefinitely.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 19743 - Airlive POE/OD IP Camera Multiple Vulnerabilities (Zero-Day)

Mitigation:

No mitigation is currently available.

Links:

CVE(s):