CVE-2018-7231
📋 TL;DR
This vulnerability in Schneider Electric's Pelco Sarix Professional cameras allows remote attackers to execute arbitrary commands by exploiting insufficient input validation in the 'system.opkg.remove' parameter. Attackers can inject shell meta-characters to gain system-level access. All firmware versions prior to 3.29.67 are affected.
💻 Affected Systems
- Schneider Electric Pelco Sarix Professional cameras
📦 What is this software?
Ibp1110 1er Firmware by Schneider Electric
Ibp219 1er Firmware by Schneider Electric
Ibp319 1er Firmware by Schneider Electric
Ibp519 1er Firmware by Schneider Electric
Ibps110 1er Firmware by Schneider Electric
Imp1110 1 Firmware by Schneider Electric
Imp1110 1e Firmware by Schneider Electric
Imp1110 1er Firmware by Schneider Electric
Imp219 1 Firmware by Schneider Electric
Imp219 1e Firmware by Schneider Electric
Imp219 1er Firmware by Schneider Electric
Imp319 1 Firmware by Schneider Electric
Imp319 1e Firmware by Schneider Electric
Imp319 1er Firmware by Schneider Electric
Imp519 1 Firmware by Schneider Electric
Imp519 1e Firmware by Schneider Electric
Imp519 1er Firmware by Schneider Electric
Imps110 1e Firmware by Schneider Electric
Imps110 1er Firmware by Schneider Electric
Mps110 1 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with root privileges, potentially taking full control of the camera, pivoting to internal networks, or deploying persistent malware.
Likely Case
Remote code execution leading to camera compromise, video stream interception, credential theft, or use as a foothold for lateral movement within the network.
If Mitigated
Limited impact if cameras are isolated in separate VLANs with strict network segmentation and no internet exposure.
🎯 Exploit Status
Simple command injection vulnerability requiring minimal technical skill to exploit. Public exploit code exists demonstrating the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.29.67 and later
Vendor Advisory: https://www.schneider-electric.com/en/download/document/SEVD-2018-058-01/
Restart Required: Yes
Instructions:
1. Download firmware version 3.29.67 or later from Schneider Electric portal. 2. Log into camera web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload the new firmware file. 5. Wait for upgrade to complete and camera to reboot.
🔧 Temporary Workarounds
Network segmentation
allIsolate cameras in separate VLAN with strict firewall rules blocking all unnecessary inbound/outbound traffic.
Access control restrictions
allImplement strict network access controls to limit which IP addresses can communicate with camera management interfaces.
🧯 If You Can't Patch
- Immediately isolate affected cameras from internet and restrict network access to management interfaces only from trusted administrative networks.
- Implement network monitoring and intrusion detection specifically for command injection attempts targeting the camera web interface.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: Login > Maintenance > Firmware Information. If version is below 3.29.67, system is vulnerable.Check Version:
Via web interface or check HTTP response headers for version information.Verify Fix Applied:
After patching, verify firmware version shows 3.29.67 or higher in Maintenance > Firmware Information.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution attempts in system logs
- Multiple failed login attempts followed by successful access
- Unexpected processes running on camera
Network Indicators:
- HTTP requests containing shell meta-characters in parameters
- Unusual outbound connections from camera to external IPs
- Traffic patterns inconsistent with normal camera operation
SIEM Query:
source="camera_logs" AND ("system.opkg.remove" OR shell_metacharacters) OR dest_ip="camera_ip" AND (http_method="POST" AND uri_contains="opkg")