New Axis OS security research supported by transparent design
Security through darkness
In a recent blog post, we revealed a new remote code execution vulnerability affecting the N48PBB, a popular network video recorder (NVR) from Annke.2 During this analysis, we got the first indication of the existence of a vulnerability when, while fuzzing HTTP endpoints, we managed to restart the device on its own after sending a very large payload.
Nevertheless, considerable effort had to be made to precisely triage and validate the vulnerability:
- The device allowed on-demand access over SSH, but only to a restricted shell, which proved useless for debugging purposes;
- No firmware was available for our analysis;
- When we managed to access the firmware, it turned out to be encrypted.
In fact, all of these countermeasures resulted in the analysis taking longer than expected. This can create a sense of security as, in order to create and refine attack payloads, attackers would have to go to considerable lengths to reverse engineer the obfuscation steps and gain full access to the device.
However, it must be emphasized that this does not affect the presence or absence of vulnerabilities in the product, regardless of whether someone discovers them or not.
A side effect is also that security researchers and asset owners have to go to the same level of effort to find bugs and accountably disclose them to the vendor, to the point that some abandon the verification and keep a product on their network whose security status is unknown.
The Axis Companion Recorder
As we continued our research on IP video surveillance systems, we decided to investigate the security of a long-time IP video surveillance equipment manufacturer, Axis Communications.3 We also bought an Axis Companion Recorder, a compact NVR that can support up to 8 directly connected PoE IP cameras. For more information on NVRs, please visit our previous blog,2 with a detailed description of how they work and their safety.
Immediately after setting up the device, the transparent approach of Axis becomes clear.
Firstly, the device allows out-of-the-box, unrestricted remote access via the SSH service, which can be activated via the web interface.