AVA-269: vcam USB debug console not disabled

Release Date

4th June 2020

Overview

The vcam USB-C interface used for initial configuration has a debugging serial console enabled which provides root access to the underlying vcam operating system. This allows an attacker with physical access to a camera to execute arbitrary software along with attacks on the configuration of a camera.

Affected Products

  • Vaion vcam: stable versions up to and including 1.1.0, and beta versions up to and including 1.2.2

Unaffected Products

  • Vaion vcore: All versions.
  • Vaion vcloud: All versions

Resolution

This issue has been fixed in vcam version 1.2.3 (dome: 20200603_07513 pano: 20200603_07514) and 1.1.1 (dome: 20200603_07527, pano: 20200603_07528).

We strongly recommended that all vcam installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the vcore user interface and the vcam user interface for unmanaged vcam cameras.

See How to: Upgrade your Vaion vcam devices from vcore and How to: Set the Vaion vcam System settings locally for more details.

Vulnerability Information

The vcam USB-C interface exposes a USB serial interface which would allow an attacker to access the root console of the base operating system without authentication. This leaves the operating system vulnerable to code being injected and executed, or the camera being misconfigured. This could affect footage being sent from vcam.

Note that the USB interface is physically within the camera housing, so an attacker would need to remove the outer housing of the vcam camera to access it.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

  • 02/06/2020 Issue found internally by Ava Security
  • 03/06/2020 Root cause established
  • 03/06/2020 Fix identified
  • 04/06/2020 Patched vcam released
  • 04/06/2020 Vulnerability publicly disclosed