SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#799060

Various Axis products allow unauthorized remote privileged access

Overview

A vulnerability in various Axis Communications products may allow unauthorized remote privileged access.

I. Description

Axis Communications Inc. produces network-enabled cameras and video servers. The company describes itself as "an innovative market leader in network video and print servers. Axis' products and solutions are focused on applications such as security surveillance, remote monitoring and document management."

A crafted URL sent to an affected device may allow a remote attacker to take a number of privileged actions, essentially gaining superuser access. For further details, please see the Core Security Technologies Advisory.

II. Impact

Quoting from the Core Security Technologies Advisory:

    Using this vulnerability, an attacker can reset the root password, then enable the telnet server by modifying configuration files, giving the attacker interactive access to a Unix like command line, allowing her to execute arbitrary commands as root.

III. Solution

Apply a vendor-supplied firmware upgrade.

Systems Affected

VendorStatusDate NotifiedDate Updated
Axis Communications Inc.Vulnerable5-Jun-2003

References

http://www.coresecurity.com/common/showdoc.php?idx=329&idxseccion=10
http://securitytracker.com/alerts/2003/May/1006854.html
http://www.iss.net/security_center/static/12104.php
http://www.secunia.com/advisories/8876/
http://www.securityfocus.com/bid/7652
http://www.axis.com/us/aboutus.asp
http://www.axis.com/

Credit

This vulnerability was discovered by Juliano Rizzo of Core Security Technologies.

This document was written by Ian A Finlay.

Other Information

Date Public:2003-05-27
Date First Published:2003-06-05
Date Last Updated:2003-06-05
CERT Advisory: 
CVE-ID(s):CAN-2003-0240
NVD-ID(s):CAN-2003-0240
US-CERT Technical Alerts: 
Metric:15.00
Document Revision:19

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader