Update to Avid Axis Network Camera Vulnerabilities

Users are urged to update vulnerable cameras ASAP

Core Security Technologies recently reported an authentication bypass for Axis Network Cameras that affects the following models:

•  AXIS 2100 Network Camera 2.32 and earlier
•  AXIS 2110 Network Camera 2.32 and earlier
•  AXIS 2120 Network Camera 2.32 and earlier
•  AXIS 2130 PTZ Network Camera 2.32 and earlier
•  AXIS 2400 Video Server 2.32 and earlier
•  AXIS 2401 Video Server 2.32 and earlier
•  AXIS 2420 Network Camera 2.32 and earlier
•  AXIS 2460 Network DVR 3.00 and earlier
•  AXIS 250S Video Server 3.02 and earlier

The exploit is simple and requires only a web browser to make unauthorized changes to the camera’s configuration. Left unchecked, the flaw could allow a malicious user to reconfigure the camera to use excessive bandwidth, change the ftp or email destinations for images, or even entirely disable the camera.

The good news is that a fix is readily available and is easily applied by updating the camera’s firmware to the current release available at Axis’s Support Website at http://www.axis.com/techsup/firmware.asp?value=camserver

For more information on this exploit, see Core’s advisory at http://www.coresecurity.com/common/ showdoc.php?idx=329&idxseccion=10