These three vulnerabilities were found in models HD838 and 438IR of AvertX used as outdoor surveillance cameras with object-detection and infrared and technology built-in. The users can store the recordings both in the cloud on a Network Video Recorder (NVR) or in a memory card.
The three vulnerabilities that were found and confirmed by AvertX were:
CVE-2020-11625: User enumeration
Faulty web user interface (UI) login attempts lead to varied results when the account doesn't exist that could enable attackers to use brute force attacks.
CVE-2020-11624: Weak password requirements
The software does not require users to change from the default password. When the user tries to login with the default password the pop shows 'password has been changed' but lets the user login.
CVE-2020-11623: Exposed dangerous method or function
An exposed UART interface exists that could be exploited by an attacker with physical access to the UART and change diagnostic and configuration functionalities.
The Impact of these Vulnerabilities
The attackers can use a brute force attack by gaining legitimate accounts as the vulnerability allows to collect valid usernames and once the username is accessed it is easy to gain the password via brute force attack.
Since the camera can be accessed by using the default password- can easily make your camera and machine compromised. And the default password can be as easily accessed by reading a user manual, as a result, can connect to Iot devices.
Physical access to UATR ( ..
Support the originator by clicking the read the rest link below.
