Security Update FF20171117001

With the assistance of the Claudio Bozzato of Cisco Talos, we recently solved 12 potential security bugs in our firmware for Foscam C1 series and several other models that share the same chipset. This includes the Foscam C1, C1 V2, C1-Lite, C1-Lite V2, FI9803P V2, FI9803P V3, FI9815P, FI9815P V2, FI9816P, FI9816P V2, and FI9851P V2 IP camera models.

We want to reassure you, our customers, that in our latest firmware updates we have fixed all 12 issues (and that as we’ve detailed below, they were were very minor, with no reported security breaches in any products used by customers). Cisco has also confirmed that 12 of these bugs are properly fixed.

To secure any network device over its full life cycle, we recommend always updating its firmware to the latest version. You can do this for your Foscam cameras either by (1) using the firmware upgrade feature in the Foscam App or (2) downloading the newest firmware from our website and then updating it to the device via the Foscam Web UI or VMS.

Remote Injection Vulnerability in Foscam IP Video Camera CGIProxy.fcgi

Formerly, with administrator rights several API interfaces of the CGIProxy.fcgi could be remotely injected. An injection attack occurs when a vulnerable application is exploited to execute various arbitrary commands on a host’s operating system. The CGIProxy.fcgi API is used to implement various communications between an IPC and the Web UI or Foscam App, and it is shared with 3rd party developers via Foscam SDKs. In order to perform those injections, an unauthorized user would have needed (a) administrator privileges to perform those remote injections, and (b) any such user would have needed to already have cracked the strong password associated with the administrator account. Therefore, any such remote injection bug associated with those CGIProxy.fcgi APIs was extremely negligible. Nonetheless, all the related CGIProxy.fcgi APIs have been strengthened in the latest firmware. The following are the corresponding individual bugs, which are denoted by shared IDs used for reference between the Foscam and Cisco teams:

    TALOS-2017-0379-Foscam IP Video Camera CGIProxy.fcgi Firmware Upgrade Code Execution Vulnerability
    TALOS-2017-0380- Foscam IP Video Camera CGIProxy.fcgi SoftAP Configuration Command Injection Vulnerability
    TALOS-2017-0385 -Foscam IP Video Camera CGIProxy.fcgi logOut Code Execution Vulnerability

Local Network Port Buffer Overflow Vulnerability

Formerly, the 10000 and 10001 port, which was used in the local network for Foscam Device Search Tool to search and communicate with the devices, posed a buffer overflow vulnerability. Such buffer overflow attacks can only be carried out over a local network, never a remote network. These attacks  therefore presented a very negligible security risk, but in the latest firmware we have nonetheless added the proper verification mechanism to block any possible buffer overflow attacks. The following are the corresponding individual bugs, with shared ids for easy reference between our team and the Cisco team:

    TALOS-2017-0381 - Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0000 Information Disclosure Vulnerability
    TALOS-2017-0382 - Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0002 Username Field Code Execution Vulnerability
    TALOS-2017-0383 - Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0002 Password Field Code Execution Vulnerability
    TALOS-2017-0384 - Foscam IP Video Camera devMng Multi-Camera Port 10001 Command 0x0064 Empty AuthResetKey Vulnerability

Client Code Execution Vulnerability

Formerly,  the DDNS and UPnP function modules had code execution vulnerabilities; attacks against those vulnerabilities would crash the corresponding system module for a short period of time. However, both the DDNS and the UPnP function are intended for advanced usage and are disabled by default for the majority of our customers, therefore the average users would not be exposed to those attacks if they did not manually switch on those functions. In the latest firmware we have nonetheless added verification mechanisms that block the possible code execution attack. The following are the corresponding individual bugs, with shared ids for the easy reference between our team and the Cisco team:

TALOS-2017-0357 - Foscam IP Video Camera webService oray.com DDNS Client Code Execution Vulnerability
    TALOS-2017-0358 - Foscam IP Video Camera webService 3322.net DDNS Client Code Execution Vulnerability
    TALOS-2017-0359 - Foscam IP Video Camera webService dyndns.com DDNS Client Code Execution Vulnerability
    TALOS-2017-0360 - Foscam IP Video Camera webService 9299.org DDNS Client Code Execution Vulnerability
    TALOS-2017-0386 - Foscam IP Video Camera UPnP Discovery Code Execution Vulnerability

In conclusion, in writing the above we have endeavored to show that Foscam always puts security first, and that we make a continuous and sincere effort to stay ahead of industry standards. As we’ve explained, all of the above issues have been fixed. No known breaches have occurred, even before these fixes. We thank the Claudio Bozzato of Cisco Talos for reaching out to our team and helping to verify these fixes. To our customers, thank you for trusting us. We will always strive to honor your trust and earn your business by responding to security concerns with the utmost seriousness, timeliness, and diligence.

The report that this article references was written by Claudio Bozzato of Cisco Talos. It can be found here: http://talosintelligence.com/vulnerability-reports/

Please download new firmware from http://www.foscam.com/downloads/index.html or update the firmware using Foscam App