Date of Disclosure: August 1, 2024
CVE-ID and CVSS Score: CVE-2024-7029: CVSS 8.7 (High)
Issue Name and Description: Command injection vulnerability in AVTECH CCTV cameras that allows attackers to execute arbitrary commands using the “brightness” parameter in the device’s CGI interface. Researchers from Akamai SIRT reported observing botnet campaigns targeting this to spread Corona Mirai, a variant of Mirai that uses string names that reference the COVID-19 virus. Although the exact number of cameras affected by this CVE is uncertain, Censys reports that nearly 38,000 are exposed online.
Asset Description and Affected Versions: This vulnerability affects AVTECH IP cameras running firmware versions up to and including AVM1203 FullImg-1023-1007-1011-1009. Despite being end of life, these devices are still in use globally, including in the Commercial Facilities, Finance, Healthcare, and Transportation Systems sectors according to CISA.
AVTECH SECURITY Corporation is a Taiwanese CCTV manufacturer that’s been around since 1996. CISA reported that they did not respond to requests to help mitigate the vulnerability. Their website, while functional, has a copyright in the footer from 2018, suggesting it may not be actively maintained.
Vulnerability Impact: The vulnerability allows for command injection via the brightness function in the CGI script located at /cgi-bin/supervisor/Factory.cgi. Attackers can send specially crafted requests to the device, enabling them to execute arbitrary commands on the underlying operating system. A threat actor exploiting this vulnerability could gain remote access and execute arbitrary commands with elevated privileges, potentially leading to other actions such as malware deployment or further network compromise.
Exploitation Details: This vulnerability is actively exploited and a public PoC is available. CISA released an Industrial Control Systems vulnerability advisory for the issue. The Corona Mirai botnet began targeting this in March 2024, leveraging both the new vulnerability as well as older unpatched exploits.
Patch Availability: At the time of writing there is no official patch provided for this vulnerability. Consider decommissioning affected AVTECH devices to mitigate risks or isolate vulnerable devices from critical infrastructure and sensitive data to limit any potential damage from exploitation. In addition, refer to Akamai’s list of IoCs of Corona Mirai to inspect your devices for compromise.
Censys Perspective:
At the time of writing, Censys observes 37,995 exposed AVTECH cameras online. Not all of these are necessarily vulnerable to this CVE, but all are end-of-life products and should not be exposed to the public internet.
To identify exposed AVTECH cameras on your networks, the following Censys queries can be used:
Censys Search Query:
services.http.response.body:{`/avtech/jpg/left.jpg`, `href="/avtech/favicon.ico"`}
or services.http.response.headers: (key: `Server` and value.headers: `Linux/2.x UPnP/1.0 Avtech/1.0`)
Censys ASM Query:
host.services: (software.vendor:"AVTECH" AND software.product:"IP Camera")
A risk will also be available for ASM customers within 24 hours:
risks.name: "Exposed AVTECH Camera"
References:
- https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-07
- https://nvd.nist.gov/vuln/detail/CVE-2024-7029