Severe Vulnerabilities Discovered in IP Camera Firmware Used by Multiple Vendors


Security researchers at RandoriSec have identified numerous critical and high-severity flaws in IP camera firmware made by UDP Technology, a South Korea-based firm that offers digital video solutions for the security and IP surveillance industries. 

Last month, French security firm RandoriSec published a blog post detailing its findings, and last Tuesday the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory to warn customers regarding the threats posed by these flaws.

The latest findings uncovered 11 remote code execution vulnerabilities and one authentication bypass issue. The 11 flaws are tracked as CVE-2021-33543 through to CVE-2021-33554. These vulnerabilities can allow an unauthenticated attacker to achieve root on the IP cameras that are running on the vulnerable firmware and take complete control of targeted cameras. 

Randorisec has been focusing on the UDP Technology firmware since 2017 and has discovered several vulnerabilities in previous versions of the UDP technology firmware and knew from that previous experience that they could expect to be stonewalled when they reported the new vulnerabilities. 

UDP Technology provides firmware for several IP camera vendors, like Geutebruck, Ganz Visualint, Cap, THRIVE Intelligence, Sophus, VCA, TripCorps, Sprinx Technologies, Smartec, Riva and the camera’s UDP sell under its own brand name.

According to RandoriSec founder Davy Douhine, the authentication bypass flaw can be exploited to hack impacted IP cameras directly from the internet. He shared with Security Week a Shodan search query that shows over 140 internet-exposed devices, mainly in the United States and the United Kingdom.

“Combining this authentication bypass [with] any of the RCE [vulnerabilities] gave us a root shell. From there you can do whatever you want – the camera is ‘jailbroken’. [An attacker could] stop the video stream, change it, use it as a relay to the connected network,” Douhine explained.

The French security firm has been designing Metasploit modules for exploiting the UDP flaws. RandoriSec published the initial Metasploit modules in an effort to ‘wake up’ the vendor, but it did not provide the desired result. 

RandoriSec is currently designing a number of different Metasploit modules for the vulnerabilities it discovered, including a post-exploitation module that can be utilized to freeze the targeted camera or to inject arbitrary photographs, like in movies.