A minimum of 5 fashions of EZVIZ Web of Issues (IoT) cameras are susceptible to a handful of vulnerabilities that would result in menace actors accessing, decrypting, and downloading the video from the gadgets.
EZVIZ is a great house safety model of cloud-connected {hardware} used throughout the globe, providing dozens of IoT safety digicam fashions.
As a part of their ongoing analysis into IoT {hardware} safety, analysts at Bitdefender recognized vulnerabilities in no less than 5 EZVIZ digicam fashions, though the crew added there could possibly be different affected merchandise as properly:
- CS-CV248 [20XXXXX72] – V5.2.1 construct 180403
- CS-C6N-A0-1C2WFR [E1XXXXX79] – V5.3.0 construct 201719
- CS-DB1C-A0-1E2W2FR [F1XXXXX52] – V5.3.0 construct 211208
- CS-C6N-B0-1G2WF [G0XXXXX66] – v5.3.0 construct 210731
- CS-C3W-A0-3H4WFRL [F4XXXXX93] – V5.3.5 construct 22012
First, the safety researchers recognized a stack-based buffer overflow bug that would result in distant code execution (CVE-2022-2471). As well as, they discovered an insecure direct object reference vulnerability at a number of API endpoints that would permit a cyberattacker to take management of the digicam, and a 3rd distant bug that lets an attacker steal the encryption key for the video, the researchers added.
Lastly, a neighborhood vulnerability, tracked underneath CVE-2022-2472, lets an attacker take over the system in earnest.
“When daisy-chained, the found vulnerabilities permit an attacker to remotely management the digicam, obtain photographs and decrypt them,” the IoT cybersecurity analysis crew added. “Use of those vulnerabilities can bypass authentication and probably execute code remotely, additional compromising the integrity of the affected cameras.”
EZVIZ began issuing safety updates for the cameras affected by the IoT bug beginning in June, Bitdefender disclosed.