CVE-2018-7237
📋 TL;DR
This vulnerability in Schneider Electric's Pelco Sarix Professional cameras allows remote attackers to delete arbitrary system files due to insufficient input validation in the /login/bin/set_param endpoint. Attackers can exploit this by manipulating the 'system.delete.sd_file' parameter. All organizations using affected firmware versions are at risk.
💻 Affected Systems
- Schneider Electric Pelco Sarix Professional cameras
📦 What is this software?
Ibp1110 1er Firmware by Schneider Electric
Ibp219 1er Firmware by Schneider Electric
Ibp319 1er Firmware by Schneider Electric
Ibp519 1er Firmware by Schneider Electric
Ibps110 1er Firmware by Schneider Electric
Imp1110 1 Firmware by Schneider Electric
Imp1110 1e Firmware by Schneider Electric
Imp1110 1er Firmware by Schneider Electric
Imp219 1 Firmware by Schneider Electric
Imp219 1e Firmware by Schneider Electric
Imp219 1er Firmware by Schneider Electric
Imp319 1 Firmware by Schneider Electric
Imp319 1e Firmware by Schneider Electric
Imp319 1er Firmware by Schneider Electric
Imp519 1 Firmware by Schneider Electric
Imp519 1e Firmware by Schneider Electric
Imp519 1er Firmware by Schneider Electric
Imps110 1e Firmware by Schneider Electric
Imps110 1er Firmware by Schneider Electric
Mps110 1 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to device bricking, persistent denial of service, or enabling further attacks by removing security controls.
Likely Case
Disruption of camera functionality through deletion of configuration or video files, causing service interruption and potential loss of surveillance footage.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external attackers from reaching vulnerable endpoints.
🎯 Exploit Status
Exploitation requires network access to the vulnerable endpoint but no authentication. Simple HTTP request manipulation is sufficient.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.29.67 and later
Vendor Advisory: https://www.schneider-electric.com/en/download/document/SEVD-2018-058-01/
Restart Required: Yes
Instructions:
1. Download firmware version 3.29.67 or later from Schneider Electric portal. 2. Upload firmware to camera via web interface. 3. Apply update. 4. Reboot camera to complete installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate cameras on separate VLANs with strict firewall rules preventing external access to management interfaces.
Access Control Lists
allImplement network ACLs to restrict access to camera management interfaces to authorized administrative IPs only.
🧯 If You Can't Patch
- Segment cameras on isolated networks with no internet access
- Implement strict firewall rules blocking all external access to camera management interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: Settings > System > Information. If version is below 3.29.67, device is vulnerable.Check Version:
curl -s http://[camera-ip]/cgi-bin/version or check web interfaceVerify Fix Applied:
Confirm firmware version is 3.29.67 or higher in web interface. Test endpoint access with controlled attempts.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /login/bin/set_param with system.delete.sd_file parameter
- File deletion events in system logs
- Unexpected system reboots
Network Indicators:
- HTTP POST requests to camera IP on port 80/443 with delete parameters
- Unusual traffic patterns to camera management interfaces
SIEM Query:
source="camera_logs" AND (uri="/login/bin/set_param" AND param="system.delete.sd_file")