Vulnerability Note VU#253708
Grandsteam GXV3611_HD camera is vulnerable to SQL injection
Original Release date: 07 Jul 2015 | Last revised: 07 Jul 2015

Overview
The Grandsteam GXV3611_HD is an IP network camera used for surveillance and security. The Grandsteam GXV3611_HD is vulnerable to a SQL injection attack.

Description
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CVE-2015-2866
The Grandstream GXV3611_HD camera with firmware of 1.0.3.6 or before does not correctly perform input validation on the username field of the telnet login. An attacker may exploit this weakness to execute a SQL injection attack on the camera’s configuration.

Impact
A remote unauthenticated attacker may be able to perform a SQL injection to view or modify the configuration of the device.

Solution
Update the firmware

Grandstream has released firmware 1.0.3.9 beta to address this issue. Consider updating your camera’s firmware as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedGrandstreamAffected-30 Jun 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

Temporal
5.0
E:POC/RL:OF/RC:C

Environmental
3.8
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.grandstream.com/support/firmware

Credit

Thanks to the Living Lab at IUPUI for reporting this vulnerability to us.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2015-2866

Date Public:
07 Jul 2015

Date First Published:
07 Jul 2015

Date Last Updated:
07 Jul 2015

Document Revision:
51

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply