CVE-2016-7834
published 2017-04-13CVE-2016-7834: SONY SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520…
PriorityP355high8.8CVSS 3.0
AVAACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.90%
89.0th percentile
SONY SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C network cameras with firmware before Ver.1.86.00 and SONY SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL network cameras with firmware before Ver.2.7.2 are prone to sensitive information disclosure. This may allow an attacker on the same local network segment to login to the device with administrative privileges and perform operations on the device.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sony | snc_series_firmware | <= 1.8.5.00 | — |
| sony | snc_series_firmware | <= 2.7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /command/prima-factory.cgi with the hardcoded Bearer token cHJpbWFuYTpwcmltYW5h (base64 for 'primana:primana'). A 204 HTTP status response combined with a 'gen5th' or 'gen6th' string in the response header confirms the backdoor account is active. ↗
- →Response header containing 'gen5th' or 'gen6th' is a strong indicator of a vulnerable Sony IPELA Engine IP camera with the hardcoded backdoor account. ↗
- →The vulnerability involves a hardcoded credential backdoor accessible via HTTP and also associated with telnet on Sony SNC-series cameras. Monitor for unauthorized access attempts using the 'primana' account. ↗
- →Attack vector is adjacent network (AV:A); restrict lateral access to Sony SNC camera management interfaces on the local network segment to limit exposure. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.03.3LOWAV:A/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Sony IPELA Engine IP Camera - Hardcoded Account
nuclei·CVSS 8.8
CVE-2016-7834 [HIGH] Sony IPELA Engine IP Camera - Hardcoded Account
Sony IPELA Engine IP Camera - Hardcoded Account
Multiple SONY network cameras are vulnerable to sensitive information disclosure via hardcoded credentials.
Template:
id: CVE-2016-7834
info:
name: Sony IPELA Engine IP Camera - Hardcoded Account
author: af001
severity: high
description: |
Multiple SONY network cameras are vulnerable to sensitive information disclosure via hardcoded credentials.
impact: |
An attacker can gain unauthorized access to the camera and potentially control its functions.
remediation: |
Upgrade to the latest version of the firmware provided by Sony.
reference:
- https://sec-consult.com/vulnerability-lab/advisory/backdoor-vulnerability-in-sony-ipela-engine-ip-cameras/
- https://www.bleepingcomputer.com/news/security/backdoor-found-in-80-sony-surveillance-camera-mo
2017-04-13
Published