CVE-2013-4985
published 2019-12-27CVE-2013-4985: Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream
PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
8.97%
94.6th percentile
Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vivotek | ip7160_firmware | — | — |
| vivotek | ip7160_firmware | — | — |
| vivotek | ip7361_firmware | — | — |
| vivotek | ip7361_firmware | — | — |
| vivotek | ip8332_firmware | — | — |
| vivotek | ip8332_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect RTSP authentication bypass attempts by monitoring for RTSP DESCRIBE requests on TCP port 554 where the Authorization header contains a single-character Base64 token (e.g., 'Authorization: Basic a'), indicating a spoofed/minimal credential used to bypass basic auth. ↗
- →Monitor for RTSP traffic (TCP port 554) targeting Vivotek IP cameras (IP7160, IP7361, IP8332) with firmware versions 0105a or 0105b, particularly DESCRIBE requests to the /live.sdp resource. ↗
- →Alert on RTSP sessions where a 401 Unauthorized response is followed immediately by a subsequent DESCRIBE request bearing a trivially short or invalid Authorization: Basic value, as the PoC intercepts and replaces the credential with a single character. ↗
- →Consider filtering or alerting on all inbound RTSP traffic (default port 554) from untrusted/internet-facing sources targeting Vivotek camera endpoints. ↗
- ·The vulnerability only applies when RTSP basic authentication is explicitly enabled on the camera; the vendor noted that RTSP authentication is disabled by default, meaning default-configured cameras may not be directly exploitable via this bypass but are still unauthenticated. ↗
- ·Affected firmware versions are 0105a and 0105b; the vendor released beta firmware 0301c as the fix. Cameras not yet patched to 0301c or later remain vulnerable. ↗
- ·The PoC acts as a TCP proxy/tunnel that rewrites the Authorization header in-flight; detection must therefore account for man-in-the-middle proxy scenarios and not solely rely on direct camera traffic inspection. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.coresecurity.com/advisories/vivotek-ip-cameras-rtsp-authentication-bypasshttp://www.exploit-db.com/exploits/29516http://www.securityfocus.com/bid/63541http://www.coresecurity.com/advisories/vivotek-ip-cameras-rtsp-authentication-bypasshttp://www.exploit-db.com/exploits/29516http://www.securityfocus.com/bid/63541
2019-12-27
Published