Originally posted on Obsrva
In May 2021, I disclosed a stored cross-site scripting vulnerability affecting 13 different networked camera devices from Avigilon, a canadian subsidiary of Motorolasolutions focused on network video management software and hardware, surveillance cameras, and access control products. The vulnerability is of low risk to device owners, as it is only exploitable by malicious users with access to the device’s network and administrative credentials and because some of the devices effected were discontinued at the time of discovery. This disclosure comes as part of my iOT device research series from Obsrva with previous vulnerabilites including CVE-2021-35956, a stored XSS vulnerabilityon enviormental monitoring devices from AKCP, and CVE-2021-3441, a stored XSS vulnerability on certain HP Printers. Avigilon was an excellent partner in the vulnerability disclosure process, providing frequent updates on their process, and adding me to the Motorolasolutions Security Hall Of Fame for following their vulnerability disclosure policy. In this post, I’ll describe the vulnerability and the disclosure process.
|H4A Box, Bullet and Dome cameras||Cameras on 4.4.0 branch: 220.127.116.11 or later. Cameras on 4.4.4 branch: 18.104.22.168 or later|
|H4 Pro cameras||22.214.171.124|
|H4 Mini Dome||126.96.36.199|
|H4SL Bullet and Dome cameras||188.8.131.52|
|H3A Bullet and Dome cameras||184.108.40.206|
|H3 Box and Dome cameras||220.127.116.11|
|Avigilon Presence Detector||18.104.22.168|
From the time I disclosed the vulnerability in mid-May, Avigilon took a little over 5 months to release a patch and public details on their support page. While this was quite some time, the disclosure management team was one of the most professional and reasonable teams I’ve delt with, due in part because of constant feedback and updates. The team had clear guidelines to follow, provided exact dates for key parts of the process, and was proactive and honest when experiencing delays. The following timeline represents only the major milestones during the disclosure process.
- May 12, 2021 - I submit the vulnerability disclosure to [email protected]
- May 25, 2021 - An Avigilon representative provides an update, stating they plan to roll out a fix and provides details on how to be added to the Bug Bounty Hall of Fame
- August 26, 2021 - An Avigilon representative provides an update, stating they have reserved CVE-2021-38701 and the Product Management team is planning how to publish the CVE
- September 1, 2021 - I receive a $250.00 Bug Bounty Payment from Motorolasolutions
- October 21, 2021 - Avigilon publishes the vulnerability information on thei support page
The effected Avigilon products are vulnerable to an authenticated stored cross-site scripting vulnerability via the deviceLocation parameter of the general settings. Malicious users can inject a payload via a POST request to
deviceLocation=Unknownn<svg/onload=alert`xss`>. Once requested, the payload is triggered when a user visits the about page, located at https://target/web/about.shtml/.
As of October 21, 2021, Avigilon has released a patch for all 13 effected devices. More information can be found on Avigilon’s official support page, /support.avigilon.com.
Tyler gained his undergraduate degree in Security and Risk Analysis from The Pennsylvania State University and started his cyber security career at Deloitte where he served clients as a mainframe application developer, penetration tester, and red team operator. Tyler credited with several CVE’s including CVE-2021-35956, CVE-2021-344, and CVE-2021-38701, and was nominated to the Motorola Solutions Bug Bounty Hall of Fame. In 2021, Tyler started Obsrva and independent vulnerability research outlet focusing on finding, disclosing, and triaging vulnerabilities in open-source and iOT devices. Tyler currently holds the eWPT and eJPT certifications, and is working towards his goal of acheiving the Offensive Security Certified Professional (OSCP) certification. For other research details, or for general inqueries, please reach out via email at [email protected]