Sony Patches Multiple Vulnerabilities in IPELA E Series Cameras

High-end surveillance cameras can offer good quality color image even in even the darkest surroundings and, thanks to their ‘connected’ nature, can rapidly beacon a warning to those concerned. However, connected cameras are also vulnerable to cyber threats.

While Sony was able to patch the latest flaws found in its HD IPELA E Series surveillance cams before bad actors could take control of them, it is nonetheless noteworthy what security researchers at Cisco Talos found in terms of vulnerabilities in Sony’s video security equipment.

An advisory published by Talos researchers Cory Duplantis and Claudio Bozzato details two distinct flaws found in Sony’s hardware recently.

The first bug, identified as CVE-2018-3937, hides an exploitable command injection vulnerability in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera.

“A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability,” researchers warn.

The second flaw, tracked as CVE-2018-3938, is an stack buffer overflow vulnerability that lies in the “802dot1xclientcert.cgi” functionality of Sony IPELA E Series Camera.

According to the same advisory, “A specially crafted POST request can cause a stack buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability.”

Avid infosec readers can find detailed technical information on the two vulnerabilities here and here. Sony has reportedly issued patches for the flaws.