Various Axis products allow unauthorized remote privileged access

Overview

A vulnerability in various Axis Communications products may allow unauthorized remote privileged access.

Description

Axis Communications Inc. produces network-enabled cameras and video servers. The company describes itself as “an innovative market leader in network video and print servers. Axis’ products and solutions are focused on applications such as security surveillance, remote monitoring and document management.”

A crafted URL sent to an affected device may allow a remote attacker to take a number of privileged actions, essentially gaining superuser access. For further details, please see the Core Security Technologies Advisory.

---

Impact

Quoting from the Core Security Technologies Advisory:
Using this vulnerability, an attacker can reset the root password, then enable the telnet server by modifying configuration files, giving the attacker interactive access to a Unix like command line, allowing her to execute arbitrary commands as root.

---

Solution

Apply a vendor-supplied firmware upgrade.

---

Vendor Information

799060

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Axis Communications Inc. __ Affected

Updated: June 05, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

While we have been unable to find a statement from the vendor, it appears that each of the firmware upgrades includes the following statement:

Some security issues in the web server have been solved.For example, please see .

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23799060 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• http://www.coresecurity.com/common/showdoc.php?idx=329&idxseccion=10
• <http://securitytracker.com/alerts/2003/May/1006854.html&gt;
• <http://www.iss.net/security_center/static/12104.php&gt;
• <http://www.secunia.com/advisories/8876/&gt;
• <http://www.securityfocus.com/bid/7652&gt;
• <http://www.axis.com/us/aboutus.asp&gt;
• <http://www.axis.com/&gt;

Acknowledgements

This vulnerability was discovered by Juliano Rizzo of Core Security Technologies.

This document was written by Ian A Finlay.

Other Information

CVE IDs:	CVE-2003-0240
Severity Metric:	15.00 Date Public: