IP Surveillance Bugs in Axis Gear Allow RCE, Data Theft

Three security vulnerabilities in Axis video products could open up the door to a bevy of different cyberattacks on businesses.

Three vulnerabilities in the IP video-surveillance systems created by Axis Communications could allow arbitrary code execution, among other attacks.

That’s according to Nozomi Networks Labs, whose researchers examined the company’s Axis Companion Recorder, a compact network video recorder (NVR) that stores IP surveillance video coming from attached cameras (it can support up to eight at one time).

They found that the three bugs (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988) turn out to affect all Axis devices that run the company’s embedded Axis OS.

The bugs are as follows:

Heap-based buffer overflow (CVE-2021-31986, CVSSv3 rating of 6.7) Improper recipient validation in network test functionalities (CVE-2021-31987, CVSSv3 rating of 4.1) SMTP header injection in email test functionality (CVE-2021-31988, CVSSv3 rating of 5.5)

“All attacks require that a victim, while logged into the device, visits a specifically crafted webpage or clicks on a malicious link,” Nozomi researchers told Threatpost. “There are several ways this could happen (phishing, watering holes, etc.) which we do not delve into in this analysis. But it does not take a great deal of expertise, as

Read More: https://threatpost.com/ip-surveillance-bugs-axis-rce-data-theft/175350/