New Sony camera vulnerabilities could allow attackers to conduct remote code execution attacks

• The two vulnerabilities are CVE-2018-3937 and CVE-2018-3938.
• The security flaws could allow attackers to execute arbitrary code or commands on affected devices.

Security researchers at Cisco Talos have discovered two security flaws in Sony IPELA E Series Network Camera. The two vulnerabilities have been tracked as CVE-2018-3937 and CVE-2018-3938. The flaws could allow attackers to execute arbitrary code and/or commands on affected devices.

Command injection flaw

The first bug, CVE-2018-3937, is a command injection flaw found in the measurement BitrateExec functionality of the Sony camera. The functionality is used for monitoring and surveillance purposes. The researchers explained that a specially crafted GET request was used to execute arbitrary commands. Alternatively, the vulnerability could also be triggered by simply sending an HTTP request.

Cisco Talos researchers said the vulnerable devices fail to check on the server address, which is one of the major causes for the existence of this vulnerability.

“While parsing the input measurement string, there isn't a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address,” the researchers Cory Duplantis and Claudio Bozzato said in a blog.

Stack buffer overflow bug

The second vulnerability, CVE-2018-3938, is a stack buffer overflow bug. It affects the 802dot1xclientcert.cgi functionality of IPELA E Series cameras. This functionality is “designed to handle everything related to certificate management for 802.1x.” According to the researchers, a specially crafted POST “can cause a stack-based buffer overflow, resulting in remote code execution.”

The vulnerable systems fail to detect the length of the incoming data, which is directly copied to a local buffer via memcpy. This failure to detect the data length causes a stack-based overflow and an attacker can abuse it to remotely execute commands on devices.

These two vulnerabilities were reported to Sony last month. The tech giant has since released Sony IPELA E series G5 firmware 1.87.00 to address the security bugs.