The Cybersecurity and Infrastructure Security Agency (CISA) disclosed on Tuesday the presence of multiple vulnerabilities in several Geutebrück G-Cam E2 and Encoder G-Code IP cameras in an Industrial Control Systems (ICS) advisory.
Security researchers at RandoriSec earlier this month detected serious vulnerabilities in the firmware provided by UDP Technology to Geutebrück and many other IP camera vendors.
“We’ve already reported several critical vulnerabilities (from RCE to Authentication Bypass) discovered on Geutebruck products,” Titouan Lazard and Ibrahim Ayadhi wrote in a RandoriSec blog post. “Geutebruck has always been our main contact to reach UDP Technology. In fact, UDP Technology never deigned to acknowledge our reports despite numerous mails and LinkedIn messages. Because new firmwares were released, sometimes failing to patch correctly reported vulnerabilities, we decided to follow the release of newer firmware, looking for more vulnerabilities.”
Following the unwillingness of firmware supplier UDP Technology to respond, RandoriSec worked with Geutebrück, to correct the 11 authenticated remote code execution (RCE) and a complete authentication bypass that they found in the firmware. RCE is a software security flaw/vulnerability that enables a malicious hacker to execute code of their choice on a remote machine over LAN, WAN, or internet, without gaining physical access to the device. An RCE vulnerability can lead to loss of control over the system or some of its individual components, apart from theft of sensitive information or data.
Deployed globally across critical infrastructure environments, such as energy, healthcare and public health and transportation systems, the Geutebrück G-Cam E2 and G-Code hardware contained security vulnerabilities that could allow unauthenticated access to sensitive information, stack-based buffer overflow and command injection conditions. These weaknesses may allow remote code execution using low attack complexity and public exploits are available.
The affected Geutebrück devices, containing the third-party firmware provided by UDP Technology, are the E2 Series cameras – G-CAM versions 126.96.36.199 and prior, versions 188.8.131.52 and 184.108.40.206, along with EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx. The affected Encoder G-Code are versions 220.127.116.11 and prior, versions 18.104.22.168 and 22.214.171.124, along with EEC-2xx and EEN-20xx. UDP Technology supplies multiple OEMs such as Geutebrück with firmware for IP cameras.
RandoriSec’s Lazard and Ayadhi reported these vulnerabilities to CISA, according to the agency’s advisory.
“As you can imagine, the combination of unauthorized access to sensitive files combined with that many RCE vulnerabilities creates a treasure trove for attackers, and finding an attack method that works for you is trivial. And it should not come as a surprise that public exploits are available,” Pieter Arntz, a malware intelligence researcher at MalwareBytes, wrote in a Wednesday blog post.
“Even an attacker having access to your live-stream can be bad enough, but an attacker that has full control of your IP camera is even worse,” according to Arntz. “And, sure enough, a combination of the unauthorized access and some of the RCE vulnerabilities can allow an attacker to achieve root on the IP camera’s that are running on the vulnerable firmware,” he added.
Last August, the Geutebrück G-Cam and G-Code equipment detected the presence of an OS Command Injection vulnerability, which affected firmware versions 126.96.36.199 and prior as well as the limited versions 188.8.131.52 and 184.108.40.206 of some Encoder and E2 Series Camera models.
Geutebrück in Germany has advised its users, including Geutebrück G-Cam E2 and Encoder G-Code users, to update all affected cameras and encoders listed to firmware version 220.127.116.11 or later. The security advisory and the latest firmware can both be acquired on the company web portal (login required).
In case the updates cannot be deployed, Geutebrück asked users to change the default passwords of the cameras, minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet, in addition to locating control system networks and remote devices behind firewalls and isolate them from the business network to minimize the risk of exploitation of these vulnerabilities.
When remote access is required, Geutebrück suggested using secure methods, like virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Users must ultimately shut down or disconnect the cameras from the network.