Login Sign Up

CVE-2017-17101

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass login screens on affected IP cameras and gain 'super admin' access. Attackers can view live video feeds, access configuration files containing passwords, and control system settings. This affects many different models of IP cameras using Apexis APM-H803-MPC software.

💻 Affected Systems

Products:
  • Various IP camera models using Apexis APM-H803-MPC software
Versions: Specific versions unknown, but appears to affect multiple versions of the software
Operating Systems: Embedded Linux systems on IP cameras
Default Config Vulnerable: ⚠️ Yes
Notes: Affects multiple camera models from different manufacturers using this vulnerable software component.

📦 What is this software?

Apm H803 Mpc Firmware by Apexis

View all CVEs affecting Apm H803 Mpc Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of camera system allowing unauthorized surveillance, credential theft, camera control, and potential pivot to internal networks.

🟠

Likely Case

Unauthorized access to live video feeds and configuration data, enabling surveillance and credential harvesting.

🟢

If Mitigated

Limited impact if cameras are isolated on separate VLANs with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Directly exposed cameras can be accessed by anyone on the internet without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to gain camera access and potentially pivot.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP requests to specific unprotected CGI endpoints. Video demonstrations show complete exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider replacing affected cameras with models from reputable vendors that provide security updates.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLANs with strict firewall rules preventing internet access and limiting internal access.

Access Control Lists

all

Implement IP-based access controls to restrict camera management interface access to authorized administrative networks only.

🧯 If You Can't Patch

  • Physically disconnect cameras from networks if they contain sensitive surveillance footage
  • Replace affected cameras with models from vendors that provide security updates and patches

🔍 How to Verify

Check if Vulnerable:

Attempt to access camera CGI endpoints without authentication. Check for unprotected access to /cgi-bin/ endpoints that should require authentication.

Check Version:

Check camera web interface or documentation for software version information

Verify Fix Applied:

Verify that all CGI endpoints require proper authentication and that login bypass is no longer possible.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated access to CGI endpoints
  • Multiple failed login attempts followed by successful access without credentials
  • Access to configuration or video streams from unauthorized IP addresses

Network Indicators:

  • HTTP requests to camera CGI endpoints from unexpected sources
  • Traffic patterns showing video streaming to unauthorized destinations

SIEM Query:

source_ip NOT IN authorized_admin_ips AND (uri CONTAINS '/cgi-bin/' OR uri CONTAINS 'config' OR uri CONTAINS 'stream') AND response_code=200

📊 Metadata

CVE ID: CVE-2017-17101
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 19, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON