PTZ1 and security flaw

EDDYH

New member
Hi there,
we have a PTZ1 and as part of some standard security tests it's been identified that the camera is running/using some software components that the system finds as a security flaw - Anyone have any idea if this is something that's patchable/fixable? I've made sure its on the latest firmware VHR121f but don't know what else we can try and do to ensure that the camera passes these?

Ive included the information the security team have passed me below so any ideas or thoughts would be really appreciated.

According to its banner, the version of Portable SDK for UPnP Devices (libupnp) running on the remote host is prior to 1.6.18. It is, therefore, affected by multiple remote code execution vulnerabilities :

- A stack-based buffer overflow condition exists in the unique_service_name() function within file ssdp/ssdp_server.c when handling Simple Service Discovery Protocol (SSDP) requests that is triggered while copying the DeviceType URN. An unauthenticated, remote attacker can exploit this, via a specially crafted SSDP request, to execute arbitrary code.
(CVE-2012-5958)

- A stack-based buffer overflow condition exists in the unique_service_name() function within file ssdp/ssdp_server.c when handling Simple Service Discovery Protocol (SSDP) requests that is triggered while copying the UDN prior to two colons. An unauthenticated, remote attacker can exploit this, via a specially crafted SSDP request, to execute arbitrary code. (CVE-2012-5959)

- A stack-based buffer overflow condition exists in the unique_service_name() function within file ssdp/ssdp_server.c when handling Simple Service Discovery Protocol (SSDP) requests that is triggered while copying the UDN prior to the '::upnp:rootdevice' string. An unauthenticated, remote attacker can exploit this, via a specially crafted SSDP request, to execute arbitrary code. (CVE-2012-5960)

- Multiple stack-based buffer overflow conditions exist in the unique_service_name() function within file ssdp/ssdp_server.c due to improper validation of the UDN, DeviceType, and ServiceType fields when parsing Simple Service Discovery Protocol (SSDP) requests. An unauthenticated, remote attacker can exploit these issues, via a specially crafted SSDP request, to execute arbitrary code. (CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965)

Solution

Upgrade to libupnp version 1.6.18 or later. If libupnp is used as a third party library by a different application, contact the vendor of that application for a fix.
 

SBowie

'the write stuff'
Staff member
As you're apparently running the latest firmware, in this case I'd suggest writing a bug case.

 

EDDYH

New member
Hi there,
I registered a bug on the link provided, but now it appears that the ticket i created and actually my user account has also ben deleted! Any thoughts?
 

SBowie

'the write stuff'
Staff member
Hi there,
I registered a bug on the link provided, but now it appears that the ticket i created and actually my user account has also ben deleted! Any thoughts?
Can you supply the Case number so I can look it up?
 

EDDYH

New member
Cheers for that!

111063_s952sghbe2po7oej

I've tried to re-register using the same email address I used to create the bug too, so I'll see if that lets me back in as well!
 

SBowie

'the write stuff'
Staff member
I see action moving forward on your case, including an email to you from QA on the 18th. Did you not receive this? (Maybe check your spam filter?)

Perhaps I should explain that user-submitted case details are not publicly available after entry, even though they are making their way through the bug system. However, having your details allows QA (or others, as it's useful) to reply to you by email with questions. You can also submit updates to the case by email.
 

EDDYH

New member
Ah Thanks Steve, Didn't realise they dissapeared after entry! I got the email from QA saying it was being looked into so I'lll await more information. Because I logged the bug would I likely to be contacted when its fixed do you know?
 

SBowie

'the write stuff'
Staff member
Ah Thanks Steve, Didn't realise they dissapeared after entry! I got the email from QA saying it was being looked into so I'lll await more information. Because I logged the bug would I likely to be contacted when its fixed do you know?
As lovely as that notion is, I would not expect it ('the moving finger, having writ, moves on'). :p
 

EDDYH

New member
No worries, I'll keep checking for firmware releases and see if there's a nod to it in the bugs fixed. Cheers!
 
Top Bottom