Details of VAR-201803-2213

ID

VAR-201803-2213

CVE

CVE-2018-7520

TITLE

Geutebruck IP Cameras Incorrect access control vulnerability

Trust: 0.8

sources: IVD: e2e8f6e2-39ab-11e9-b0e9-000c29342cb1 // CNVD: CNVD-2018-06020

DESCRIPTION

An improper access control vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could allow a full configuration download, including passwords. Geutebruck G-Cam/EFD-2250 and Topline TopFD-2125 Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The G-Cam/EFD-2250 and ToplineTopFD-2125 are both high-definition cameras from Geutebruck. Multiple Geutebruck devices are prone to the following multiple security vulnerabilities. 1. An authentication-bypass vulnerability 2. A SQL-injection vulnerability 3. A cross-site request-forgery vulnerability 4. An access-bypass vulnerability 5. A security-bypass vulnerability 6. A cross-site scripting vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. The following devices are vulnerable: Geutebruck G-Cam/EFD-2250 version 1.12.0.4 Geutebruck Topline TopFD-2125 version 3.15.1. Geutebrück G-Cam/EFD-2250 and Topline TopFD-2125 are IP camera products of German Geutebrück company

Trust: 2.7

sources: NVD: CVE-2018-7520 // JVNDB: JVNDB-2018-003343 // CNVD: CNVD-2018-06020 // BID: 103474 // IVD: e2e8f6e2-39ab-11e9-b0e9-000c29342cb1 // VULHUB: VHN-137552

IOT TAXONOMY

category:	['IoT', 'ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: e2e8f6e2-39ab-11e9-b0e9-000c29342cb1 // CNVD: CNVD-2018-06020

AFFECTED PRODUCTS

vendor:	geutebruck	model:	g-cam/efd-2250	scope:	eq	version:	1.12.0.4	Trust: 1.7
vendor:	geutebrueck	model:	topfd-2125	scope:	eq	version:	3.15.1	Trust: 1.6
vendor:	geutebrueck	model:	g-cam\/efd-2250	scope:	eq	version:	1.12.0.4	Trust: 1.6
vendor:	geutebruck	model:	topline topfd-2125	scope:	eq	version:	3.15.1	Trust: 0.9
vendor:	geutebruck	model:	topfd-2125	scope:	eq	version:	3.15.1	Trust: 0.8
vendor:	geutebruck	model:	g-cam/efd-2250	scope:	ne	version:	1.12.0.19	Trust: 0.3
vendor:	g cam efd 2250	model:	-	scope:	eq	version:	1.12.0.4	Trust: 0.2
vendor:	topfd 2125	model:	-	scope:	eq	version:	3.15.1	Trust: 0.2

sources: IVD: e2e8f6e2-39ab-11e9-b0e9-000c29342cb1 // CNVD: CNVD-2018-06020 // BID: 103474 // JVNDB: JVNDB-2018-003343 // CNNVD: CNNVD-201803-764 // NVD: CVE-2018-7520

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7520
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-7520
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-06020
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201803-764
value:	CRITICAL
Trust: 0.6
IVD:	e2e8f6e2-39ab-11e9-b0e9-000c29342cb1
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-137552
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-7520
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2018-7520
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2018-06020
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2e8f6e2-39ab-11e9-b0e9-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-137552
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-7520
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2018-7520
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: e2e8f6e2-39ab-11e9-b0e9-000c29342cb1 // CNVD: CNVD-2018-06020 // VULHUB: VHN-137552 // JVNDB: JVNDB-2018-003343 // CNNVD: CNNVD-201803-764 // NVD: CVE-2018-7520

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.9
problemtype:	NVD-CWE-Other	Trust: 1.0

sources: VULHUB: VHN-137552 // JVNDB: JVNDB-2018-003343 // NVD: CVE-2018-7520

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-764

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201803-764

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-003343

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-137552

PATCH

title:	Top Page	url:	https://www.geutebrueck.com/en_EN.html	Trust: 0.8
title:	GeutebruckIPCameras patch for incorrect access control vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/122845	Trust: 0.6
title:	Geutebrück G-Cam/EFD-2250 and Topline TopFD-2125 Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79350	Trust: 0.6

sources: CNVD: CNVD-2018-06020 // JVNDB: JVNDB-2018-003343 // CNNVD: CNNVD-201803-764

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7520	Trust: 3.6
db:	ICS CERT	id:	ICSA-18-079-01	Trust: 3.4
db:	BID	id:	103474	Trust: 2.0
db:	CNNVD	id:	CNNVD-201803-764	Trust: 0.9
db:	CNVD	id:	CNVD-2018-06020	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-003343	Trust: 0.8
db:	IVD	id:	E2E8F6E2-39AB-11E9-B0E9-000C29342CB1	Trust: 0.2
db:	PACKETSTORM	id:	148380	Trust: 0.1
db:	VULHUB	id:	VHN-137552	Trust: 0.1

sources: IVD: e2e8f6e2-39ab-11e9-b0e9-000c29342cb1 // CNVD: CNVD-2018-06020 // VULHUB: VHN-137552 // BID: 103474 // JVNDB: JVNDB-2018-003343 // CNNVD: CNNVD-201803-764 // NVD: CVE-2018-7520

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-079-01	Trust: 3.4
url:	http://www.securityfocus.com/bid/103474	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7520	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7520	Trust: 0.8
url:	http://www.geutebrueck.com/en_en/product-overview-31934.html	Trust: 0.3

sources: CNVD: CNVD-2018-06020 // VULHUB: VHN-137552 // BID: 103474 // JVNDB: JVNDB-2018-003343 // CNNVD: CNNVD-201803-764 // NVD: CVE-2018-7520

CREDITS

Davy Douhine of RandoriSec and Nicolas Mattiocco of Greenlock.

Trust: 0.3

sources: BID: 103474

SOURCES

db:	IVD	id:	e2e8f6e2-39ab-11e9-b0e9-000c29342cb1
db:	CNVD	id:	CNVD-2018-06020
db:	VULHUB	id:	VHN-137552
db:	BID	id:	103474
db:	JVNDB	id:	JVNDB-2018-003343
db:	CNNVD	id:	CNNVD-201803-764
db:	NVD	id:	CVE-2018-7520

LAST UPDATE DATE

2024-11-23T21:53:17.617000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-06020	date:	2018-03-22T00:00:00
db:	VULHUB	id:	VHN-137552	date:	2020-10-02T00:00:00
db:	BID	id:	103474	date:	2018-03-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-003343	date:	2018-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201803-764	date:	2020-10-09T00:00:00
db:	NVD	id:	CVE-2018-7520	date:	2024-11-21T04:12:17.273

SOURCES RELEASE DATE

db:	IVD	id:	e2e8f6e2-39ab-11e9-b0e9-000c29342cb1	date:	2018-03-22T00:00:00
db:	CNVD	id:	CNVD-2018-06020	date:	2018-03-22T00:00:00
db:	VULHUB	id:	VHN-137552	date:	2018-03-22T00:00:00
db:	BID	id:	103474	date:	2018-03-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-003343	date:	2018-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201803-764	date:	2018-03-22T00:00:00
db:	NVD	id:	CVE-2018-7520	date:	2018-03-22T18:29:00.963