CVE-2021-33549
published 2021-09-13CVE-2021-33549: Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter…
PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.19%
99.2th percentile
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code.
Affected
66 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | — | — |
| geutebr_ck | e2_series | EBC-21xx – 1.12.0.27 | — |
| geutebr_ck | e2_series | EFD-22xx – 1.12.0.27 | — |
| geutebr_ck | e2_series | ETHC-22xx – 1.12.0.27 | — |
| geutebr_ck | e2_series | EWPC-22xx – 1.12.0.27 | — |
| geutebr_ck | encoder_g-code | — | — |
| geutebr_ck | encoder_g-code | — | — |
| geutebr_ck | encoder_g-code | — | — |
| geutebr_ck | encoder_g-code | — | — |
| geutebr_ck | encoder_g-code | EEC-2xx – 1.12.0.27 | — |
| geutebr_ck | encoder_g-code | EEN-20xx – 1.12.0.27 | — |
| geutebrueck | g-cam_ebc-2110_firmware | <= 1.12.0.27 | — |
| geutebrueck | g-cam_ebc-2110_firmware | — | — |
| geutebrueck | g-cam_ebc-2110_firmware | — | — |
| geutebrueck | g-cam_ebc-2111_firmware | <= 1.12.0.27 | — |
| geutebrueck | g-cam_ebc-2111_firmware | — | — |
| geutebrueck | g-cam_ebc-2111_firmware | — | — |
| geutebrueck | g-cam_ebc-2112_firmware | <= 1.12.0.27 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/uapi-cgi/
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033311; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33545, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_05;)snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033312; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33545, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_07;)- →Exploit targets the 'action' POST body parameter in any .cgi endpoint under /uapi-cgi/; a value longer than ~150 characters (no '&') is indicative of a buffer overflow attempt.
- →Exploit is delivered via HTTP POST method to URIs matching /uapi-cgi/*.cgi on the target camera device.
- →Successful exploitation results in remote code execution as the root user on affected Geutebruck devices. ↗
- →A public Metasploit module exists for this vulnerability targeting the instantrec.cgi endpoint. ↗
- ·The ET Snort rules cover multiple CVEs (2021-33545, 33546, 33547, 33549) with a single signature; a match does not uniquely confirm CVE-2021-33549 specifically.
- ·The Metasploit module targets specific firmware versions only: == 1.12.0.27, 1.12.13.2, and 1.12.14.5; other firmware versions may not be exploitable via this module. ↗
- ·The ET rules carry a 'confidence Low' metadata tag, meaning false positives are possible and matches should be corroborated with additional context.
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w6hr-fq55-vx95: Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action param
ghsa_unreviewed·2022-05-24
CVE-2021-33549 [HIGH] CWE-121 GHSA-w6hr-fq55-vx95: Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action param
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code.
VulnCheck
geutebruck g-cam_ebc-2110 Stack-based Buffer Overflow
vulncheck·2021·CVSS 7.2
CVE-2021-33549 [HIGH] geutebruck g-cam_ebc-2110 Stack-based Buffer Overflow
geutebruck g-cam_ebc-2110 Stack-based Buffer Overflow
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code.
Affected: geutebruck g-cam_ebc-2110
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits
CISA ICS
Geutebrück G-Cam E2 and G-Code
cisa_ics·2021-07-27·CVSS 9.8
[CRITICAL] Geutebrück G-Cam E2 and G-Code
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Geutebrück G-Cam E2 and G-Code
Last RevisedJuly 27, 2021
Alert CodeICSA-21-208-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Geutebrück
- Equipment: G-Cam E2 and G-Code
- Vulnerabilities: Missing Authentication for Critical Function, Command Injection, Stack-based Buffer Overflow
## 2. RISK EVALUATION
UDP Technology supplies multiple OEMs such as Geutebrück with firmware for IP cameras. Successful exploitation of these vulnerabilities could allow unauthenticated access to sensitive i
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)
suricata·2021-07-09
CVE-2021-33545 ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)
ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033311; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33545, confidence Low, signature_severity Majo
Suricata
ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)
suricata·2021-07-09
CVE-2021-33545 ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)
ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033312; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33545, confidence Low, signature_severity Major,
arXiv
CToMP: A Cycle-task-oriented Memory Protection Scheme for Unmanned Systems
arxiv_fulltext·2023-09-12
CToMP: A Cycle-task-oriented Memory Protection Scheme for Unmanned Systems
RESEARCH PAPER
2022
CToMP: A Cycle-task-oriented Memory Protection Scheme for Unmanned SystemsCToMP: A Cycle-task-oriented Memory Protection Scheme for Unmanned Systems
[1]Chengyan MA
[1]Ning XI
[2]Di [email protected]
[3]Yebo FENG
[1]Jianfeng MA
Ma C Y
Ma C Y, Xi N, Lu D, et al
[1]School of Cyber Engineering, Xidian University, Xi'an 710071, China
[2]School of Computer Science and Technology, Xidian University, Xi'an 710071, China
[3]University of Oregon, Eugene 97403, USA
Memory corruption attacks (MCAs) refer to malicious behaviors of system intruders that modify the contents of a memory location to disrupt the normal operation of computing systems, causing leakage of sensitive data or perturbations to ongoing processes.
Unlike general-purpose systems, unmanned systems cannot d
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
http://packetstormsecurity.com/files/164191/Geutebruck-instantrec-Remote-Command-Execution.htmlhttps://us-cert.cisa.gov/ics/advisories/icsa-21-208-03https://www.randorisec.fr/fr/udp-technology-ip-camera-vulnerabilities/http://packetstormsecurity.com/files/164191/Geutebruck-instantrec-Remote-Command-Execution.htmlhttps://us-cert.cisa.gov/ics/advisories/icsa-21-208-03https://www.randorisec.fr/fr/udp-technology-ip-camera-vulnerabilities/
2021-09-13
Published
Exploited in the wild