A vulnerability was found in Insteon HD IP Camera White 2864-222 (Network Camera Software) (version now known). It has been rated as critical. This issue affects some unknown processing of the file cgi-bin/CGIProxy.fcgi of the component Web Service. The manipulation of the argument remoteIp as part of a Parameter leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.

The bug was discovered 06/22/2018. The weakness was published 06/23/2018 (Website). The advisory is shared at github.com. The identification of this vulnerability is CVE-2018-11560 since 05/30/2018. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Similar entry is available at 119826.

Productinfo

Type

• Network Camera Software

Vendor

• Insteon

Name

• HD IP Camera White 2864-222

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion