CVE-2020-10176
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on Yale WIPC-301W IP cameras through eval injection. Attackers can gain full control of affected devices, potentially compromising camera feeds and using devices as network footholds. All users of affected Yale camera versions are at risk.
💻 Affected Systems
- ASSA ABLOY Yale WIPC-301W IP Camera
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover allowing attackers to view/record camera feeds, pivot to internal networks, install persistent malware, or use devices in botnets.
Likely Case
Unauthorized access to camera feeds, device compromise for surveillance or data exfiltration, and potential lateral movement within networks.
If Mitigated
Limited impact if devices are isolated on separate VLANs with strict network segmentation and access controls.
🎯 Exploit Status
Exploitation requires network access to device but no authentication. Public proof-of-concept demonstrates remote code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.x.2.44 and later
Vendor Advisory: https://www.assaabloy.com/en/com/our-brands/yale/cybersecurity
Restart Required: Yes
Instructions:
1. Check current firmware version via web interface. 2. Download latest firmware from Yale support portal. 3. Upload firmware via web interface. 4. Reboot device after update completes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate cameras on separate VLAN with strict firewall rules blocking all inbound traffic except from management systems.
Access Control Lists
allImplement IP-based access restrictions to limit which systems can communicate with cameras.
🧯 If You Can't Patch
- Remove devices from internet exposure and place behind VPN with strict access controls
- Implement network monitoring for suspicious traffic to/from camera devices
🔍 How to Verify
Check if Vulnerable:
Access camera web interface, navigate to System > Information, check firmware version. If version is between 2.x.2.29 and 2.x.2.43_p1, device is vulnerable.Check Version:
curl -s http://[CAMERA_IP]/cgi-bin/version.cgi | grep firmwareVerify Fix Applied:
After update, verify firmware version shows 2.x.2.44 or higher in System > Information page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to CGI endpoints
- Multiple failed authentication attempts followed by successful access
- System log entries showing unexpected process execution
Network Indicators:
- Unusual outbound connections from camera devices
- Traffic to known malicious IPs from camera
- Unexpected port scanning originating from camera
SIEM Query:
source="camera_logs" AND (uri_path="*.cgi" AND method="POST" AND status="200") AND NOT user_agent="YaleBrowser"🔗 References
- https://firedome.io/blog/firedome-discloses-0-day-vulnerabilities-in-yale-ip-cameras/
- https://lp.firedome.io/hubfs/Yale%20WIPC-301W%20RCE%20Vulnerability%20Report%205-6.pdf
- https://firedome.io/blog/firedome-discloses-0-day-vulnerabilities-in-yale-ip-cameras/
- https://lp.firedome.io/hubfs/Yale%20WIPC-301W%20RCE%20Vulnerability%20Report%205-6.pdf
