ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC fail to properly restrict access to the factory…
certcc·CWE-306·Published 2017-12-15
ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC fail to properly restrict access to the factory reset page. An unauthenticated, remote attacker can exploit this vulnerability by directly accessing the http://x.x.x.x/setup/setup_maintain_firmware-default.html page. This will allow an attacker to perform a factory reset on the device, leading to a denial of service condition or the ability to make use of default credentials (CVE-2017-3186).
ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC fail to properly restrict access to the factory reset page. An unauthenticated, remote attacker can exploit this vulnerability by directly accessing the http://x.x.x.x/setup/setup_maintain_firmware-default.html page. This will allow an attacker to perform a factory reset on the device, leading to a denial of service condition or the ability to make use of default credentials (CVE-2017-3186).
Las cámaras ACTi (incluyendo series D, B, I y E) con firmware versión A1D-500-V6.11.31-AC no restringen correctamente el acceso a la página de restablecimiento de fábrica. Un atacante remoto no autenticado puede explotar esta vulnerabilidad accediendo directamente a la página http://x.x.x.x/setup/setup_maintain_firmware-default.html. Esto permitirá que un atacante realice un restablecimiento de fábrica en el dispositivo, que conducirá a una denegación de servicio (DoS) o a la capacidad de utilizar las credenciales por defecto (CVE-2017-3186).
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 10.0 | 10.0 | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| 3.0 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |