Vulnerabilities Identified in EZVIZ Smart Cams
September 15, 2022
As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers several camera models manufactured by EZVIZ. Full details are included in the research paper below:
Vulnerabilities at a glance
- [REMOTE] Stack-Based Buffer Overflow Vulnerability can lead to remote code execution in the motion detection routine – CVE-2022-2471
- [REMOTE] Insecure Direct Object Reference vulnerability in multiple API endpoints allows an attacker to fetch images and issue commands on behalf of the real owner of the camera [2]
- [REMOTE] Storing Passwords in a Recoverable Format vulnerability in [3] /api/device/query/encryptkey allows an attacker to recover the encryption key for images
- [LOCAL] Improper Initialization vulnerability lets an attacker recover the administrator password and completely own the device - CVE-2022-2472
Affected camera models
The vulnerabilities were found on firmware version V5.3.0 build 201719 (previous versions might also be vulnerable but untested). Affected device models are listed in the table below – please note that there may be other device models and integrations that we have not tested:
- CS-CV248 [20XXXXX72] - V5.2.1 build 180403
- CS-C6N-A0-1C2WFR [E1XXXXX79] - V5.3.0 build 201719
- CS-DB1C-A0-1E2W2FR [F1XXXXX52] - V5.3.0 build 211208
- CS-C6N-B0-1G2WF [G0XXXXX66] - v5.3.0 build 210731
- CS-C3W-A0-3H4WFRL [F4XXXXX93] - V5.3.5 build 220120
Disclosure timeline
- Apr 15, 2022: Bitdefender makes an initial contact attempt via multiple public communication channels
- Apr 16, 2022: Acknowledgement received; vendor requests additional information through OneDrive
- Apr 18, 2022: Bitdefender submits documentation and proof of concept
- Apr 20, 2022: Report received and acknowledged by the vendor
- May 05, 2022: Vendor informs that internal assessment is in progress
- May 10, 2022: The vendor requests a 90-day extension for vulnerability fixing and patching
- May 16, 2022: Vendor communicates the findings of internal assessment and confirms fix
- Jun 20, 2022: Updates are still rolling out to vulnerable devices
- Sep 15, 2022: This report becomes public as per the coordinated vulnerability disclosure guidelines
Impact
When daisy-chained, the discovered vulnerabilities allow an attacker to remotely control the camera, download images and decrypt them. Use of these vulnerabilities can bypass authentication and potentially execute code remotely, further compromising the integrity of the affected cameras.
Note: Bitdefender has been working closely with EZVIZ through all stages of vulnerability disclosure. We would like to extend our thanks for the prompt response time, communication, transparency and escalation.
tags
Author
The meaning of Bitdefender’s mascot, the Dacian Draco, a symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.”
View all postsRight now Top posts
Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware
June 08, 2023
Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series
May 02, 2023
EyeSpy - Iranian Spyware Delivered in VPN Installers
January 11, 2023
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
January 05, 2023
FOLLOW US ON SOCIAL MEDIA
You might also like
Bookmarks
