CVE-2017-8228

Amcrest IPM-721S Credential Disclosure / Privilege Escalation

Severity Score

8.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots within the past two hours. Amcrest cloud services does not perform a thorough verification when allowing the user to add a new camera to the user's account to ensure that the user actually owns the camera other than knowing the serial number of the camera. This can allow an attacker who knows the serial number to easily add another user's camera to an attacker's cloud account and control it completely. This is possible in case of any camera that is currently not a part of an Amcrest cloud account or has been removed from the user's cloud account. Also, another requirement for a successful attack is that the user should have rebooted the camera in the last two hours. However, both of these conditions are very likely for new cameras that are sold over the Internet at many ecommerce websites or vendors that sell the Amcrest products. The successful attack results in an attacker being able to completely control the camera which includes being able to view and listen on what the camera can see, being able to change the motion detection settings and also be able to turn the camera off without the user being aware of it. Note: The same attack can be executed using the Amcrest Cloud mobile application.

Los dispositivos Amcrest IPM-721S V2.420.AC00.16.R.20160909 no se manejan correctamente durante las últimas dos horas. Los servicios en la nube de Amcrest no realizan una verificación exhaustiva cuando permiten que el usuario agregue una nueva cámara a la cuenta del usuario para garantizar que el usuario sea el propietario de la cámara, aparte de saber el número de serie de la cámara. Esto puede permitir que un atacante que conoce el número de serie agregue fácilmente la cámara de otro usuario a la cuenta de la nube de un atacante y la controle completamente. Esto es posible en el caso de que cualquier cámara que actualmente no sea parte de una cuenta en la nube de Amcrest o haya sido eliminada de la cuenta en la nube del usuario. Además, otro requisito para un ataque exitoso es que el usuario debería haber reiniciado la cámara en las últimas dos horas. Sin embargo, ambas condiciones son muy probables para las nuevas cámaras que se venden a través de Internet en muchos sitios web de comercio electrónico o proveedores que venden los productos Amcrest. El ataque con éxito hace que un atacante pueda controlar completamente la cámara, lo que incluye poder ver y escuchar lo que la cámara puede ver, poder cambiar la configuración de detección de movimiento y también poder apagar la cámara sin que el usuario esté consciente de ello. Nota: El mismo ataque se puede ejecutar utilizando la aplicación móvil Amcrest Cloud.

Amcrest IPM-721S suffers from credential disclosure, privilege escalation, and a long list of other vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-25 CVE Reserved
2019-06-07 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (3)

URL	Tag	Source
http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html	Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List

URL	Date	SRC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Amcrest Search vendor "Amcrest"	Ipm-721s Firmware Search vendor "Amcrest" for product "Ipm-721s Firmware"	<= 2.420.ac00.16.r.20160909 Search vendor "Amcrest" for product "Ipm-721s Firmware" and version " <= 2.420.ac00.16.r.20160909"	-	Affected	in	Amcrest Search vendor "Amcrest"	Ipm-721s Search vendor "Amcrest" for product "Ipm-721s"	-	-	Safe