More than ten security flaws were found in the smart intercom product “E11” manufactured by a Chinese company not vox.
“This vulnerability allows attackers to remotely execute code to enable and control the device’s camera and microphone, as well as steal video and images,” said Vera Mens, a security researcher at Claroty, in a technical article. or gain a foothold in the network.”
The Akuvox E11 is described on the company’s website as “SIP [Session Initiation Protocol] A video door phone specially designed for villas, houses and apartments. “
However, the product listing has been removed from the website and I am getting a “page does not exist” error message. A snapshot captured by Google shows that the page was live until his March 12, 2023 05:59:51 GMT.
The attack was revealed through either remote code execution within a local area network (LAN) or remote activation of the E11’s camera and microphone, allowing an adversary to collect and exfiltrate multimedia recordings. increase.
A third attack vector utilizes an external, insecure File Transfer Protocol (FTP) server to download stored images and data.
The most serious problems are:
- CVE-2023-0344 (CVSS score: 9.1) – Akuvox E11 seems to use a custom version of the dropbear SSH server. This server by default allows insecure options not found in the official dropbear SSH server.
- CVE-2023-0345 (CVSS score: 9.8) – The Akuvox E11 Secure Shell (SSH) server is enabled by default and accessible by the root user. This password cannot be changed by the user.
- CVE-2023-0352 (CVSS score: 9.1) – The Akuvox E11 password recovery webpage can be accessed without authentication, allowing an attacker to download the device key file. An attacker could then use this page to reset the password to default.
- CVE-2023-0354 (CVSS score: 9.1) – Akuvox E11 web server can be accessed without user authentication. This could allow an attacker to access sensitive information or create and download packet captures using known default URLs.
The majority of the 13 security issues have remained unpatched to this day, and Akuvox has since disabled “the ability to list content so that malicious actors cannot enumerate files.” , points out that the FTP server permission issue was addressed.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
The findings also prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to release its own Industrial Control Systems (ICS) advisory last week.
“Successfully exploiting these vulnerabilities could result in the loss of sensitive information, unauthorized access, and granting the attacker complete administrative control,” the agency warned.
In the absence of a patch, organizations using doorphones are advised to disconnect from the Internet until the vulnerability is fixed to mitigate potential remote attacks.
We also recommend changing the default passwords used to secure the web interface and “segmenting and isolating Akuvox devices from the rest of the corporate network” to prevent lateral movement attacks.
This development allowed Wago to modify several Programmable Logic Controllers (PLC ) when you release a patch for It can be exploited to achieve complete system compromise.
