Vulnerability Note VU#355151
ACTi cameras models from the D, B, I, and E series contain multiple security vulnerabilities
Overview
According to the reporter, ACTi devices including D, B, I, and E series models using firmware version A1D-500-V6.11.31-AC are vulnerable to several issues.
Description
According to the reporter, multiple ACTi devices, including the D, B, I, and E series models, that use firmware version A1D-500-V6.11.31-AC are vulnerable to several issues. Other models may be affected.
CWE-306: Missing Authentication for Critical Function - CVE-2017-3184
Impact
A remote unauthenticated attacker may be able to perform a factory reset of the device, gain access to sensitive information such as user account name or password, or utilize a known default root admin credential across all devices.
Solution
The CERT/CC is currently unaware of a practical solution to this problem.
Vendor Information
|Vendor
|Status
|Date Notified
|Date Updated
|ACTi Corporation
|Affected
|20 Jan 2017
|07 Mar 2017
CVSS Metrics
|Group
|Score
|Vector
|Base
|10.0
|AV:N/AC:L/Au:N/C:C/I:C/A:C
|Temporal
|8.5
|E:POC/RL:U/RC:UR
|Environmental
|6.4
|CDP:ND/TD:M/CR:ND/IR:ND/AR:ND
References
- http://www.acti.com/
- https://cwe.mitre.org/data/definitions/306.html
- https://cwe.mitre.org/data/definitions/521.html
- https://cwe.mitre.org/data/definitions/598.html
Credit
Thanks to Mandar Jadhav of the Qualys Vulnerability Signature/Research Team for reporting these vulnerabilities.
This document was written by Garret Wassermann.
Other Information
- CVE IDs: CVE-2017-3184 CVE-2017-3185 CVE-2017-3186
- Date Public: 07 Mar 2017
- Date First Published: 07 Mar 2017
- Date Last Updated: 07 Mar 2017
- Document Revision: 23
