Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Web server vulnerability in Axis Network Cameras, Video Servers and DVRs

Web server vulnerability in Axis Network Cameras, Video Servers and DVRs

by Nikola Strahija on December 21st, 2002 A potential stack buffer overflow has been found in the authentication code of the modified version of Boa used in some of the embedded Linux based Axis products, which may result in DoS attacks, or in a potential system compromise.


1. Topic

Web server vulnerability in Axis Network Cameras, Video Servers and
Network Digital Video Recorders.


2. Description

A potential stack buffer overflow has been found in the authentication
code of the modified version of Boa used in some of the embedded
Linux based Axis products, which may result in DoS attacks, or in a
potential system compromise.

Note: this vulnerability is not present in the official boa distribution
available from ;.


3. Affected products

Axis 2100/2110/2120/2420 Network Camera - Firmware Release 2.33 and
below
Axis 2130 PTZ Network Camera - Firmware Release 2.32
Axis 2400/2401 Video Server - Firmware Release 2.33 and below
Axis 2460 Network DVR - Firmware Release 3.00
Axis 2490 Serial Server - Firmware Release 2.10
Axis 250S MPEG-2 Video Server - Firmware Release 3.01


4. Solution

The part of the authentication code where the buffer overflow may arise
has been corrected and is included in new firmware releases for all
affected products.


5. Releases

Axis 2100 Network Camera (2.33.1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2100/sr/

Axis 2110 Network Camera (2.33.1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2110/sr/

Axis 2120 Network Camera (2.33.1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2120/sr/

Axis 2420 Network Camera (2.33.1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2420/sr/

Axis 2130 PTZ Network Camera (2.32.1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2130/sr/

Axis 2400 Video Server (2.33.1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2400/sr/

Axis 2401 Video Server (2.33.1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2401/sr/

Axis 250S MPEG-2 Video Server (3.02 RC1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_250s/release_candidate/3_02/

Axis 2460 Network Digital Video Recorder (3.01)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2460/sr/

Axis 2490 Serial Server (2.11.1)
- ftp://ftp.axis.com/pub_soft/cam_srv/cam_2490/sr/

Axis Developer Board LX
Axis Device Server Platform
Axis Developer Board for Bluetooth
- http://developer.axis.com/download/apps/apps-boa-R1_1_19-2_33_2.tgz


6. Acknowledgement


Thanks to D.C. van Moolenbroek ([email protected]) and M.C. Schrijver
([email protected]) for disclosing this
vulnerability to Axis Communications AB.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »