Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Grandsteam GXV3611_HD camera is vulnerable to SQL injection
Informations
Name VU#253708 First vendor Publication 2015-07-07
Vendor VU-CERT Last vendor Modification 2015-07-07
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#253708

Grandsteam GXV3611_HD camera is vulnerable to SQL injection

Original Release date: 07 Jul 2015 | Last revised: 07 Jul 2015

Overview

The Grandsteam GXV3611_HD is an IP network camera used for surveillance and security. The Grandsteam GXV3611_HD is vulnerable to a SQL injection attack.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-2866

The Grandstream GXV3611_HD camera with firmware of 1.0.3.6 or before does not correctly perform input validation on the username field of the telnet login. An attacker may exploit this weakness to execute a SQL injection attack on the camera's configuration.

Impact

A remote unauthenticated attacker may be able to perform a SQL injection to view or modify the configuration of the device.

Solution

Update the firmware

Grandstream has released firmware 1.0.3.9 beta to address this issue. Consider updating your camera's firmware as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
GrandstreamAffected-30 Jun 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.4AV:N/AC:L/Au:N/C:P/I:P/A:N
Temporal5.0E:POC/RL:OF/RC:C
Environmental3.8CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.grandstream.com/support/firmware

Credit

Thanks to the Living Lab at IUPUI for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-2866
  • Date Public:07 Jul 2015
  • Date First Published:07 Jul 2015
  • Date Last Updated:07 Jul 2015
  • Document Revision:51

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/253708

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2015-07-09 21:30:45
  • Multiple Updates
2015-07-08 21:31:37
  • Multiple Updates
2015-07-07 21:25:36
  • First insertion