Pelco Sarix Pro网络摄像头set_param程序network.ieee8021x.delete_certs命令执行漏洞
发布日期:2018-03-01
更新日期:2018-03-01
受影响系统:
Pelco Sarix Professional IMPS110-1E < 3.29.67
Pelco Sarix Professional IMPS110-1ER < 3.29.67
Pelco Sarix Professional IMP1110-1 < 3.29.67
Pelco Sarix Professional IMP1110-1E < 3.29.67
Pelco Sarix Professional IMP1110-1ER < 3.29.67
Pelco Sarix Professional IBP1110-1ER < 3.29.67
Pelco Sarix Professional IMP219-1 < 3.29.67
Pelco Sarix Professional IMP219-1E < 3.29.67
Pelco Sarix Professional IMP219-1ER < 3.29.67
Pelco Sarix Professional IBP219-1ER < 3.29.67
Pelco Sarix Professional IMP319-1 < 3.29.67
Pelco Sarix Professional IMP319-1E < 3.29.67
Pelco Sarix Professional IMP319-1ER < 3.29.67
Pelco Sarix Professional IBP319-1ER < 3.29.67
Pelco Sarix Professional IMP519-1 < 3.29.67
Pelco Sarix Professional IMP519-1E < 3.29.67
Pelco Sarix Professional IBP519-1ER < 3.29.67
描述:
CVE(CAN) ID: CVE-2018-7232
Pelco Sarix Professional系列是施耐德电气旗下派尔高Sarix Pro网络摄像头产品。
Pelco Sarix Pro网络摄像头/login/bin/set_param程序的network.ieee8021x.delete_certs参数处理时没有对用户提交参数进行安全检查,用户可以利用shell元字符以root身份来执行任意系统命令,从而完全控制摄像头。
<*来源:邓永凯
链接:https://www.pelco.com/search?documentUUID=e88d9bca-0062-4f85-8f4165982d304c69&title=Sarix%20Professi
*>
建议:
厂商补丁:
Pelco
-----
Pelco已经为此发布了一个安全公告(SEVD-2018-058-01)以及相应补丁:
SEVD-2018-058-01:Security Notification – Pelco Sarix Professional
链接:-
3.29.67版本已经修复了此漏洞,补丁下载: