Security Update FF20170615001

With the assistance of the Claudio Bozzato of Cisco Talos, we recently solved 20 potential security bugs in our firmware. We want to reassure you, our customers, that in our latest firmware updates we have fixed all 20 issues (and that as we’ve elucidated below, they were were very minor, with no reported security breaches in any products used by customers). Cisco has also confirmed that 20 of these bugs are properly fixed. To secure any network device over its full life cycle, we recommend always updating its firmware to the latest version. You can do this for your Foscam cameras either by (1) using the firmware upgrade feature in the Foscam App or (2) downloading the newest firmware from our website and then updating it to the device via the Foscam Web UI or VMS.

Remote Injection Vulnerability in Foscam IP Video Camera CGIProxy.fcgi

Formerly, with administrator rights several API interfaces of the CGIProxy.fcgi could be remotely injected. An injection attack occurs when a vulnerable application is exploited to execute various arbitrary commands on a host’s operating system. The CGIProxy.fcgi API is used to implement various communications between an IPC and the Web UI or Foscam App, and it is shared with 3rd party developers via Foscam SDKs. In order to perform those injections, an unauthorized user would have needed (a) administrator privileges to perform those remote injections, and (b) any such user would have needed to already have cracked the strong password associated with the administrator account. Therefore, any such remote injection bug associated with those CGIProxy.fcgi APIs was extremely negligible. Nonetheless, all the related CGIProxy.fcgi APIs have been strengthened in the latest firmware. The following are the corresponding individual bugs, which are denoted by shared IDs used for reference between the Foscam and Cisco teams:

    ● TALOS-2017-0328 - Foscam IP Video Camera CGIProxy.fcgi Account Creation Command Injection Vulnerability
    ● TALOS-2017-0329 - Foscam IP Video Camera CGIProxy.fcgi Account Password Command Injection Vulnerability
    ● TALOS-2017-0334 - Foscam IP Video Camera CGIProxy.fcgi FTP Startup Configuration Command Injection Vulnerability
    ● TALOS-2017-0330 - Foscam IP Video Camera CGIProxy.fcgi Message 0x3001 Directory Traversal Vulnerability
    ● TALOS-2017-0331 - Foscam IP Video Camera CGIProxy.fcgi Message 0x3001 Multi-part Form Boundary Code Execution Vulnerability
    ● TALOS-2017-0332 - Foscam IP Video Camera CGIProxy.fcgi Query Append Code Execution Vulnerability
    ● TALOS-2017-0299 - Foscam IP Video Camera WebService CGI Parameter Code Execution Vulnerability
    ● TALOS-2017-0348 - Foscam IP Video Camera CGIProxy.fcgi Gateway Address Configuration Command Injection Vulnerability
    ● TALOS-2017-0349 - Foscam IP Video Camera CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability
    ● TALOS-2017-0350 - Foscam IP Video Camera CGIProxy.fcgi DNS2 Address Configuration Command Injection Vulnerability
    ● TALOS-2017-0351 - Foscam IP Video Camera CGIProxy.fcgi NTP Server Configuration Command Injection Vulnerability
    ● TALOS-2017-0352 - Foscam IP Video Camera CGIProxy.fcgi Change Username pureftpd.passwd Injection Vulnerability
    ● TALOS-2017-0335 - Foscam IP Video Camera CGIProxy.fcgi Account Deletion Command Injection Vulnerability
    ● TALOS-2017-0343 - Foscam IP Video Camera CGIProxy.fcgi SMTP Test Host Parameter Configuration Command Injection Vulnerability
    ● TALOS-2017-0344 - Foscam IP Video Camera CGIProxy.fcgi SMTP Test User Parameter Configuration Command Injection Vulnerability
    ● TALOS-2017-0345 - Foscam IP Video Camera CGIProxy.fcgi SMTP Test Password Parameter Configuration Command Injection Vulnerability
    ● TALOS-2017-0346 - Foscam IP Video Camera CGIProxy.fcgi SMTP Test Sender Parameter Configuration Command Injection Vulnerability
    ● TALOS-2017-0347 - Foscam IP Video Camera CGIProxy.fcgi SMTP Test Command Injection Vulnerability
    ● TALOS-2017-0353 - Wifi Settings Code Execution Vulnerability

FTP Hard Coded Password Vulnerability

Formerly, a vestigial FTP account could be accessed in the Foscam C1 model IPC; but only over a local network, never a remote network. This account therefore presented a very negligible security bug, but in the latest firmware we have nonetheless fixed a programming error that had prevented this account from being disabled. The following are the corresponding individual bugs, with shared ids for the easy reference between our team and the Cisco team:

    ● TALOS-2016-0245 - Foscam C1 Webcam FTP Hard Coded Password Vulnerability

In conclusion, in writing the above we have endeavored to show that Foscam always puts security first, and that we make a continuous and sincere effort to stay ahead of industry standards. As we’ve explained, all of the above issues have been fixed. No known breaches have occurred, even before these fixes. We thank the Claudio Bozzato of Cisco Talos for reaching out to our team and helping verify these fixes. To our customers, thank you for trusting us. We will always strive to honor your trust and earn your business by responding to security concerns with the utmost seriousness, timeliness, and diligence.

Those security bugs discovered by Claudio Bozzato of Cisco Talos http://talosintelligence.com/vulnerability-reports/