CVE-2021-25845
📋 TL;DR
This vulnerability allows attackers to cause a denial of service on Moxa VPort 06EC-2V Series IP cameras by sending a specially crafted LLDP packet. The improper validation of ChassisID TLV leads to a NULL pointer dereference, crashing the lldpd service. Only users of Moxa VPort 06EC-2V Series cameras running version 1.1 are affected.
💻 Affected Systems
- Moxa Camera VPort 06EC-2V Series
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service on the IP camera, making it unavailable for video streaming and management until manually rebooted.
Likely Case
Temporary service disruption of the camera's network connectivity and video feed, requiring reboot to restore functionality.
If Mitigated
No impact if cameras are patched or network controls prevent LLDP packets from reaching the cameras.
🎯 Exploit Status
Exploitation requires sending a crafted LLDP packet to the camera's network interface. No authentication is needed as LLDP is a layer 2 protocol that typically operates without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.2 or later
Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/vport-06ec-2v-series-ip-cameras-vulnerabilities
Restart Required: Yes
Instructions:
1. Download firmware version 1.2 or later from Moxa support site. 2. Access camera web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload the new firmware file. 5. Wait for upgrade to complete and camera to reboot automatically.
🔧 Temporary Workarounds
Network Segmentation
allBlock LLDP packets from untrusted networks using firewall rules or network segmentation.
Disable LLDP Service
linuxDisable the lldpd service on the camera if LLDP functionality is not required.
🧯 If You Can't Patch
- Implement network segmentation to isolate cameras from untrusted networks
- Use firewall rules to block LLDP traffic (destination port 0) to camera IP addresses
🔍 How to Verify
Check if Vulnerable:
Check camera firmware version via web interface: System > System Information > Firmware Version. If version is 1.1, the camera is vulnerable.Check Version:
No CLI command available. Use web interface at http://<camera-ip>/ or check via ONVIF protocol.Verify Fix Applied:
After patching, verify firmware version shows 1.2 or later in System > System Information > Firmware Version.📡 Detection & Monitoring
Log Indicators:
- Camera service crash logs
- LLDP service restart messages
- System reboot events without user action
Network Indicators:
- Unusual LLDP packets with malformed ChassisID TLV
- Sudden loss of camera connectivity
SIEM Query:
source="camera_logs" AND ("lldpd crash" OR "NULL pointer" OR "segmentation fault")