Vulnerabilities in XMeye P2P Cloud Server

Wednesday, October 10, 2018 @ 01:10 PM gHale

Hangzhou Xiongmai Technology Co., Ltd is working on fixes for multiple vulnerabilities in its XMeye P2P Cloud Server, according to a report with NCCIC.

The vulnerabilities are a predictable from observable state, hidden functionality, and missing encryption of sensitive data.

RELATED STORIES
Fuji Electric Fixes Energy Savings Estimator
Siemens Clears ROX II Vulnerabilities
New Firmware Fixes SCALANCE W1750D
Siemens Fixes SIMATIC S7-1200 CPU Family

Successful exploitation of these remotely exploitable vulnerabilities, discovered by Stefan Viehböck on behalf of SEC Consult Vulnerability Lab, could allow unauthorized access to video feeds with the potential to modify settings, replace firmware, and/or execute code. Information related to these vulnerabilities is publicly available.

All products using XMeye P2P Cloud Server are affected.

Hangzhou Xiongmai Technology Co., Ltd acts primarily as an original equipment manufacturer (OEM) and sells few, if any, Xiongmai-branded products. Various vendors sell branded devices with Hangzhou Xiongmai Technology Co., Ltd hardware/firmware inside.

Use the following methods to check the hardware/firmware:
• Check if the product documentation/specifications mention the “XMEye” feature.
• Access the err.htm page on the device (http:///err.htm). Xiongmai or XMeye will be referenced.

In one vulnerability, an attacker may be able to use MAC addresses to enumerate potential Cloud IDs. Using this ID, the attacker can discover and connect to valid devices using one of the supported apps.

CVE-2018-17917 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

In addition, an attacker could use an undocumented user account “default” with its default password to login to XMeye and access/view video streams.

CVE-2018-17919 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

Also, not all device communication is encrypted. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code.

CVE-2018-17915 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

The product sees use in multiple critical infrastructure sectors. It also sees action on a global basis.

An attacker with low skill level could leverage the vulnerabilities.

China-based Hangzhou Xiongmai Technology Co., Ltd has not provided mitigations for these vulnerabilities.



Leave a Reply

You must be logged in to post a comment.