A security firm reported the discovery of three vulnerabilities in the software of CCTV devices of technology firm Axis Communications, which has already acknowledged the flaws and issued the corresponding firmware updates. According to the report, the flaws reside in Axis OS Active 10.7, Axis OS 2016 LTS 18.104.22.168, Axis OS 2018 LTS 22.214.171.124, Axis OS 2020 LTS 126.96.36.199, Axis OS Active 10.8, Axis OS 2016 LTS 188.8.131.52, Axis OS 2018 LTS 184.108.40.206 and Axis OS 2020 LTS 220.127.116.11.
The report, published by security firm Nozomi Networks Labs, describes the flaws as a buffer overflow based on the heap tracked as CVE-2021-31986; incorrect validation in network test functions tracked as CVE-2021-31897; and an SMTP header injection into the email function of the affected devices tracked as CVE-2021-31988.
Experts found the first flaw in the read callback function, finding that the parameters provided are controllable from the outside and were not sufficiently validated by the server-side code before reaching the read callback function. The flaw received a score of 6.7/10 according to the Common Vulnerability Scoring System (CVSS).
On the other hand, CVE-2021-31897 is related to the test functions of HTTP, e-mail, and TCP recipients, which have blocklist-based security controls to prevent interactions with network services exposed to the local host. The flaw received a CVSS score of 4.1/10.
Finally, CVE-2021-21988 exists due to an SMTP header injection into the SMTP test function: “By redirecting the victim to a specially designed website, threat actors could trick the device into sending malicious emails to other users with arbitrary SMTP header values,” the report mentions.
The flaw can be exploited to perform phishing attacks, spread malware through emails or divulge sensitive information, experts say.
Investigators notified Axis last June, when the company began working on the necessary firmware updates. The report notes that some affected devices are not included but will still receive updates to avoid the risk of exploitation.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.