Vanderbilt Industries has provided a firmware update for more than a dozen Siemens-branded IP-based closed circuit TV cameras that patches a serious, remotely exploitable vulnerability.
The flaw, CVE-2016-9155, could allow an attacker to gain admin credentials by sending certain crafted requests, the Siemens said in an advisory.
“Until patches can be applied, restricting access to the integrated web server with appropriate mechanisms is recommended,” Siemens said.
Affected versions are:
- CCMW3025: All versions prior to 1.41_SP18_S1,
- CVMW3025-IR: All versions prior to 1.41_SP18_S1,
- CFMW3025: All versions prior to 1.41_SP18_S1,
- CCPW3025: All versions prior to 0.1.73_S1,
- CCPW5025: All versions prior to 0.1.73_S1,
- CCMD3025-DN18: All versions prior to v1.394_S1,
- CCID1445-DN18: All versions prior to v2635,
- CCID1445-DN28: All versions prior to v2635,
- CCID1445-DN36: All versions prior to v2635,
- CFIS1425: All versions prior to v2635,
- CCIS1425: All versions prior to v2635,
- CFMS2025: All versions prior to v2635,
- CCMS2025: All versions prior to v2635,
- CVMS2025-IR: All versions prior to v2635,
- CFMW1025: All versions prior to v2635, and
- CCMW1025: All versions prior to v2635.
Vanderbilt Industries in June 2015 wrapped up its acquisition of Siemens security products, and these particular cameras are used in a number of industries for surveillance and security purposes, including commercial and government facilities, as well as healthcare operations worldwide.
Siemens said it’s unaware of public exploits, but cautions that an attacker with a relatively low skill level could compromise these devices. Siemens, however said, that an attacker would require network access to the web server to gain credentials.
With increasing glare on the security of connected devices, organizations running these cameras should ensure the updates are applied quickly.
A number of recent high-profile attacks emanating from connected devices such as IP CCTVs and DVRs have been reported, most notably from devices corralled by the Mirai malware.
The malware seeks out connected devices and uses a hard-coded list of weak or known default credentials to try to gain access to the device. Once it has access, malware is installed that connects it to a botnet that has been used primarily in DDoS attacks.
Three of most volumetric attacks in history have occurred since the start the summer, including DDoS attacks that took down Krebs on Security, French webhost OVH and DNS service provider Dyn, which was acquired today by Oracle.
Experts warn that short of an effective recall of these devices, it falls on operators to patch the devices with firmware updates, and at a minimum, change default credentials.