CVE-2018-3813
📋 TL;DR
CVE-2018-3813 is an authentication bypass vulnerability in FLIR Brickstream 2300 devices that allows unauthenticated attackers to directly access the getConfigExportFile.cgi endpoint and extract sensitive credentials including AVI_USER_ID and AVI_USER_PASSWORD. This affects FLIR Brickstream 2300 devices running vulnerable firmware versions, allowing attackers to gain administrative access to the devices.
💻 Affected Systems
- FLIR Brickstream 2300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of Brickstream devices, potentially compromising the entire surveillance/analytics network, exfiltrating sensitive data, or using devices as footholds for lateral movement.
Likely Case
Attackers extract administrative credentials and gain unauthorized access to device management interfaces, potentially modifying configurations or accessing collected analytics data.
If Mitigated
With proper network segmentation and access controls, impact is limited to the specific vulnerable device only.
🎯 Exploit Status
The exploit requires only a simple HTTP GET request to the vulnerable endpoint. Public blog posts demonstrate the exploitation technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - contact FLIR for updated firmware
Vendor Advisory: No public vendor advisory found
Restart Required: Yes
Instructions:
1. Contact FLIR support for updated firmware. 2. Backup device configuration. 3. Apply firmware update following vendor instructions. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to Brickstream management interfaces using firewall rules
Web Server Configuration
allBlock access to getConfigExportFile.cgi via web server configuration if possible
🧯 If You Can't Patch
- Isolate Brickstream devices on a separate VLAN with strict access controls
- Implement network monitoring for unauthorized access attempts to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to http://[device-ip]/getConfigExportFile.cgi and check if it returns configuration data without authenticationCheck Version:
Check device web interface or contact FLIR for version informationVerify Fix Applied:
After patching, attempt the same request and verify it requires authentication or returns an error📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to getConfigExportFile.cgi in web server logs
- Multiple failed authentication attempts followed by successful access to the endpoint
Network Indicators:
- HTTP GET requests to /getConfigExportFile.cgi from unauthorized IP addresses
- Unusual outbound connections from Brickstream devices
SIEM Query:
source="brickstream_web_logs" AND uri="/getConfigExportFile.cgi" AND NOT (user!="-")