A vulnerability was found in SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B (Network Camera Software). It has been classified as critical. Affected is an unknown function. The manipulation of the argument authLevel with the input value 255 leads to a improper authentication vulnerability. CWE is classifying the issue as CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B devices improperly identifies users only by the authentication level sent in the cookies, which allow remote attackers to bypass authentication and gain administrator access by setting the authLevel cookie to 255.

The bug was discovered 10/16/2018. The weakness was published 10/19/2018 (Website). The advisory is available at bishopfox.com. This vulnerability is traded as CVE-2018-12666 since 06/22/2018. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit.

The vulnerability was handled as a non-public zero-day exploit for at least 3 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Similar entries are available at 125793, 125791, 125792 and 125794.

Productinfo

Type

• Network Camera Software

Vendor

• SV3C

Name

• L-SERIES HD CAMERA

Version

• V2.3.4.2103-S50-NTD-B20170508B

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion