CVE-2021-26627
📋 TL;DR
CVE-2021-26627 allows remote attackers to access live video feeds without authentication by sending RTSP requests to vulnerable devices. This affects systems with insufficient authentication on activated RTSP ports, potentially exposing sensitive real-time surveillance or monitoring footage.
💻 Affected Systems
- Specific products not identified in provided references - appears to affect various RTSP-enabled devices/cameras
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all live video feeds to unauthorized remote actors, enabling surveillance of sensitive areas, privacy violations, and potential reconnaissance for physical attacks.
Likely Case
Unauthorized viewing of live camera feeds, compromising privacy and security monitoring capabilities.
If Mitigated
No unauthorized access to video streams when proper authentication and network controls are implemented.
🎯 Exploit Status
Exploitation requires only RTSP client tools like ffplay and network access to vulnerable port. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vendor-specific - check with device manufacturer
Vendor Advisory: https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66663
Restart Required: Yes
Instructions:
1. Identify affected devices 2. Contact manufacturer for firmware updates 3. Apply latest firmware 4. Restart devices 5. Verify RTSP authentication is enabled
🔧 Temporary Workarounds
Disable RTSP Service
allTurn off RTSP streaming if not required
Device-specific - check admin interface for RTSP settings
Network Segmentation
linuxRestrict access to RTSP ports (typically 554)
iptables -A INPUT -p tcp --dport 554 -j DROP
iptables -A INPUT -p udp --dport 554 -j DROP
🧯 If You Can't Patch
- Implement strong authentication on RTSP service
- Place devices behind VPN or strict firewall rules allowing only authorized IPs
🔍 How to Verify
Check if Vulnerable:
Use ffplay or similar RTSP client to attempt connection without credentials: ffplay rtsp://[target_ip]:554/[stream_path]Check Version:
Device-specific - check web interface or manufacturer documentationVerify Fix Applied:
Attempt same connection - should prompt for credentials or fail📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts on RTSP port
- Unauthorized RTSP connection requests
- High volume of RTSP traffic from unexpected sources
Network Indicators:
- RTSP traffic to port 554 from unauthorized IPs
- RTSP DESCRIBE/SETUP requests without authentication headers
SIEM Query:
destination_port=554 AND (protocol="RTSP" OR tcp_flags="SYN") AND NOT source_ip IN [authorized_ips]