CVE-2018-7235 in Pelco Sarix Professional
Summary
by MITRE
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow arbitrary system file download due to lack of validation of the shell meta characters with the value of 'system.download.sd_file'
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/12/2020
The vulnerability identified as CVE-2018-7235 affects Schneider Electric's Pelco Sarix Professional video surveillance devices running firmware versions prior to 3.29.67. This represents a critical security flaw that stems from inadequate input validation within the device's web interface implementation. The specific weakness manifests in the handling of the 'system.download.sd_file' parameter, which fails to properly sanitize shell metacharacters that could be exploited by malicious actors to execute arbitrary system commands.
This vulnerability falls under the category of command injection attacks and aligns with CWE-77 which describes improper neutralization of special elements used in a command shell. The flaw enables attackers to manipulate the device's file system by crafting malicious requests that bypass normal validation mechanisms. When the system processes the 'system.download.sd_file' parameter without proper sanitization, it becomes possible for an attacker to inject shell commands that execute with the privileges of the web server process, potentially leading to complete system compromise.
The operational impact of this vulnerability extends beyond simple file access, as it provides attackers with the capability to download arbitrary system files from the device's storage. This could include configuration files, system logs, or even firmware components that might reveal sensitive information about the network infrastructure or device configurations. The vulnerability is particularly concerning in surveillance environments where these devices often serve as critical components of security infrastructure and may contain sensitive operational data or access credentials.
Security professionals should note that this vulnerability is classified as a remote code execution risk within the MITRE ATT&CK framework under the technique T1059.001 for Command and Scripting Interpreter. The attack vector requires minimal privileges and can be exploited through web interface interactions, making it particularly dangerous in environments where these devices are accessible from untrusted networks. Organizations using Pelco Sarix Professional devices should immediately implement firmware updates to version 3.29.67 or later, which addresses the input validation weakness through proper sanitization of shell metacharacters in the affected parameter.
Mitigation strategies should include network segmentation to limit access to these devices, implementation of web application firewalls to monitor for suspicious parameter values, and regular security audits of networked surveillance equipment. Additionally, organizations should consider disabling unnecessary web interface functionality and implementing strict access controls that limit who can interact with the device's management interfaces. The vulnerability demonstrates the critical importance of proper input validation in networked security devices and serves as a reminder that even seemingly benign functionality can become a gateway for sophisticated attacks when proper security measures are not implemented.