IP Surveillance Bugs in Axis Gear Allow RCE, Data Theft

Three security in Axis video products could open up the door to a bevy of different cyberattacks on businesses.

Three vulnerabilities in the IP video- systems created by Axis Communications could allow arbitrary code execution, among other attacks.

That’s according to Nozomi Networks Labs, whose researchers examined the company’s Axis Companion Recorder, a compact network video recorder (NVR) that stores IP surveillance video coming from attached cameras (it can support up to eight at one time).

They found that the three bugs (CVE--31986, CVE-2021-31987, CVE-2021-31988) turn out to affect all Axis devices that run the company’s embedded Axis OS.

The bugs are as follows:

Heap-based buffer overflow (CVE-2021-31986, CVSSv3 rating of 6.7) Improper recipient validation in network test functionalities (CVE-2021-31987, CVSSv3 rating of 4.1) SMTP header injection in email test functionality (CVE-2021-31988, CVSSv3 rating of 5.5)

“All attacks require that a victim, while logged into the device, visits a specifically crafted webpage or clicks on a malicious link,” Nozomi researchers told Threatpost. “There are several ways this could happen (, watering holes, etc.) which we do not delve into in this . But it does not take a great deal of expertise, as

Read More: https://threatpost.com/ip-surveillance-bugs-axis-rce-data-theft/175350/