CVE-2018-17558

Q: What is the severity of CVE-2018-17558?

CVE-2018-17558 has a CVSS score of 9.8 (CRITICAL). This CVE describes two critical vulnerabilities in ABUS security cameras: hardcoded manufacturer credentials and an OS command injection flaw in the /cgi-bin/mft/ directory. Attackers can exploit these to execute arbitrary code with root privileges on affected devices. Organizations using the listed ABUS camera models are at risk.

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

This CVE describes two critical vulnerabilities in ABUS security cameras: hardcoded manufacturer credentials and an OS command injection flaw in the /cgi-bin/mft/ directory. Attackers can exploit these to execute arbitrary code with root privileges on affected devices. Organizations using the listed ABUS camera models are at risk.

💻 Affected Systems

Products:

ABUS TVIP20050
ABUS TVIP10051
ABUS TVIP11050
ABUS TVIP20550
ABUS TVIP10050
ABUS TVIP11550
ABUS TVIP21050
ABUS TVIP51550

Versions: LM.1.6.18, MG.1.6.03.05, MG.1.6.03

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers gain full root access to cameras, enabling complete device compromise, data exfiltration, lateral movement into networks, and persistent backdoor installation.

🟠

Likely Case

Attackers exploit cameras to create botnet nodes, conduct surveillance, or pivot to internal networks from internet-facing devices.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated camera systems without critical data access.

🌐 Internet-Facing: HIGH - These are internet-connected security cameras with unauthenticated remote code execution, making them prime targets for mass exploitation.

🏢 Internal Only: MEDIUM - Internal exploitation still possible via network access, but requires attacker presence on internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. The hardcoded credentials bypass authentication, and command injection requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory available

Restart Required: No

Instructions:

No official patch exists. Manufacturer appears unresponsive based on references. Consider replacing affected devices.

🔧 Temporary Workarounds

Network Isolation

all

Place cameras on isolated VLAN with no internet access and strict firewall rules

Access Control

all

Block external access to camera web interfaces and restrict internal access to management networks only

🧯 If You Can't Patch

Immediately disconnect affected cameras from internet and place behind strict firewall
Replace affected cameras with patched models from different vendors if possible

🔍 How to Verify

Check if Vulnerable:

Check camera model and firmware version via web interface. If matches affected list, assume vulnerable.

Check Version:

Connect to camera web interface and check System Information or About page

Verify Fix Applied:

No fix available to verify. Only verification is device replacement with non-vulnerable model.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts
Unexpected process execution in camera logs
Access to /cgi-bin/mft/ directory

Network Indicators:

Outbound connections from cameras to unknown IPs
Unusual traffic patterns from camera IPs
Exploit kit traffic targeting camera IPs

SIEM Query:

source="camera_logs" AND (uri="/cgi-bin/mft/*" OR process="unexpected_command")

📊 Metadata

CVE ID: CVE-2018-17558

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: October 26, 2023

Last Updated: November 21, 2024

🔗 References

https://sec.maride.cc/posts/abus/ Exploit,Third Party Advisory
https://www.ccc.de/en/updates/2019/update-nicht-verfugbar-hersteller-nicht-zu-erreichen Third Party Advisory
https://sec.maride.cc/posts/abus/ Exploit,Third Party Advisory
https://www.ccc.de/en/updates/2019/update-nicht-verfugbar-hersteller-nicht-zu-erreichen Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tvip 10000 Firmware by Abus

Tvip 10001 Firmware by Abus

Tvip 10005 Firmware by Abus

Tvip 10005a Firmware by Abus

Tvip 10005b Firmware by Abus

Tvip 10050 Firmware by Abus

Tvip 10051 Firmware by Abus

Tvip 10055a Firmware by Abus

Tvip 10055b Firmware by Abus

Tvip 10500 Firmware by Abus

Tvip 10550 Firmware by Abus

Tvip 11000 Firmware by Abus

Tvip 11050 Firmware by Abus

Tvip 11500 Firmware by Abus

Tvip 11501 Firmware by Abus

Tvip 11502 Firmware by Abus

Tvip 11550 Firmware by Abus

Tvip 11551 Firmware by Abus

Tvip 11552 Firmware by Abus

Tvip 20000 Firmware by Abus

Tvip 20050 Firmware by Abus

Tvip 20500 Firmware by Abus

Tvip 20550 Firmware by Abus

Tvip 21000 Firmware by Abus

Tvip 21050 Firmware by Abus

Tvip 21500 Firmware by Abus

Tvip 21501 Firmware by Abus

Tvip 21502 Firmware by Abus

Tvip 21550 Firmware by Abus

Tvip 21551 Firmware by Abus

Tvip 21552 Firmware by Abus

Tvip 22500 Firmware by Abus

Tvip 31000 Firmware by Abus

Tvip 31001 Firmware by Abus

Tvip 31050 Firmware by Abus

Tvip 31500 Firmware by Abus

Tvip 31501 Firmware by Abus

Tvip 31550 Firmware by Abus

Tvip 31551 Firmware by Abus

Tvip 32500 Firmware by Abus

Tvip 51500 Firmware by Abus

Tvip 51550 Firmware by Abus

Tvip 71500 Firmware by Abus

Tvip 71501 Firmware by Abus

Tvip 71550 Firmware by Abus

Tvip 71551 Firmware by Abus

Tvip 72500 Firmware by Abus