[s03e01] RCE on Geutebruck IP Cameras

By Davy Douhine | December 18, 2018

Abstract

A few weeks ago we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found a RCE affecting version 1.12.0.24 and prior versions of E2 series IP cameras.

In fact it is the third time we find a a RCE on this product line. One in 2016, another one in 2017 and now a new one in 2018.

Like before we’ve choose to “responsible disclose” this 0day vulnerability, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).  Since then a new firmware has been released (1.12.0.25) to fix that, ICS-CERT has released an advisory and a CVE (CVE-2018-19007) have been assigned.

Many thanks to Geutebruck and ICS-CERT teams.


Advisory

“Successful exploitation of this vulnerability may allow a remote attacker to inject OS commands as root.”.

https://ics-cert.us-cert.gov/advisories/ICSA-18-347-03


Exploit

Coming soon.


Mitigation

Geutebruck has released a new software version, Version 1.12.0.25, to address the identified vulnerability, which is available at the following location (registration needed):

http://www.geutebrueck.com/en_EN/login.html

If an update is not possible right now in between users can disable the “Enable anonymous access” option to mitigate the risk. The RCEs will remain but will only be reachable by authenticated users.


In the wild

Many brands use the same firmware (and are vulnerable too):

  • UDP Technology (which is also the supplier of the firmware for the other vendors)
  • Ganz
  • Visualint
  • Cap
  • THRIVE Intelligence