Vaion-255: Debug network port open on vcam

Release Date

20th August 2020.

Overview

A network port was open on vcam devices through which image histogram statistics could be obtained.

Affected Products

• vcam: All versions before 1.0.2

Unaffected Products

• vcam: All versions after and including 1.0.2.
• vcore: All versions.
• vcloud: All versions.

Resolution

After discovering the issue, a software fix was made that closed the affected network port. This was fixed and deployed with the release of vcam 1.0.2 on 6th February 2020. We recommend that all vcam devices running an affected version upgrade to the latest release as soon as possible. See How to: Set the Vaion vcam System settings locally or How to: Upgrade your Vaion vcam devices from vcore.

Vulnerability Information

A network port was open on vcam through which the video stream/image histogram data could be accessed. Even though this does not provide much information directly as the video stream itself is not accessible through this port, statistics can be collected and some information such as when the camera goes into day/night mode, when indoor lights are switched on/off etc can be deduced.

• CVE: Pending
• CVSSv3 score: 5.3 Medium
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Acknowledgements

Issue found internally by Vaion.

Disclosure Timeline

• 05/02/2020 Issue found internally by Vaion
• 05/02/2020 Root cause established
• 05/02/2020 Fix identified and Patched
• 06/02/2020 vcam 1.0.2 (Stable) released
• 20/08/2020 Vulnerability publicly disclosed