Three critical vulnerabilities in AXIS CCTV cameras allow hackers to spy on you. Patch immediately

A security firm reported the discovery of three vulnerabilities in the software of CCTV devices of technology firm Axis Communications, which has already acknowledged the flaws and issued the corresponding firmware updates. According to the report, the flaws reside in Axis OS Active 10.7, Axis OS 2016 LTS 6.50.5.5, Axis OS 2018 LTS 8.40.4.3, Axis OS 2020 LTS 9.80.3.5, Axis OS Active 10.8, Axis OS 2016 LTS 6.50.5.5, Axis OS 2018 LTS 8.40.4.3 and Axis OS 2020 LTS 9.80.3.5.

The report, published by security firm Nozomi Networks Labs, describes the flaws as a buffer overflow based on the heap tracked as CVE-2021-31986; incorrect validation in network test functions tracked as CVE-2021-31897; and an SMTP header injection into the email function of the affected devices tracked as CVE-2021-31988.

Experts found the first flaw in the read callback function, finding that the parameters provided are controllable from the outside and were not sufficiently validated by the server-side code before reaching the read callback function. The flaw received a score of 6.7/10 according to the Common Vulnerability Scoring System (CVSS).

On the other hand, CVE-2021-31897 is related to the test functions of HTTP, e-mail, and TCP recipients, which have blocklist-based security controls to prevent interactions with network services exposed to the local host. The flaw received a CVSS score of 4.1/10.

Finally, CVE-2021-21988 exists due to an SMTP header injection into the SMTP test function: “By redirecting the victim to a specially designed website, threat actors could trick the device into sending malicious emails to other users with arbitrary SMTP header values,” the report mentions.

The flaw can be exploited to perform phishing attacks, spread malware through emails or divulge sensitive information, experts say.

Investigators notified Axis last June, when the company began working on the necessary firmware updates. The report notes that some affected devices are not included but will still receive updates to avoid the risk of exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.