{"vuid":"VU#547255","idnumber":"547255","name":"Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow","keywords":["dahua","sonia","camera","buffer","overflow","stack"],"overview":"Dahua IP camera products using firmware versions prior to V2.400.0000.14.R.20170713 include a version of the Sonia web interface that may be vulnerable to a stack buffer overflow.","clean_desc":"CWE-121: Stack-based Buffer Overflow - CVE-2017-3223 Dahua IP camera products include an application known as Sonia (/usr/bin/sonia) that provides the web interface and other services for controlling the IP camera remotely. Versions of Sonia included in firmware versions prior to DH_IPC-Consumer-Zi-Themis_Eng_P_V2.408.0000.11.R.20170621 do not validate input data length for the 'password' field of the web interface. A remote, unauthenticated attacker may submit a crafted POST request to the IP camera's Sonia web interface that may lead to out-of-bounds memory operations and loss of availability or remote code execution. The issue was originally identified by the researcher in firmware version DH_IPC-HX1X2X-Themis_EngSpnFrn_N_V2.400.0000.30.R.20160803.","impact":"A remote, unauthenticated attacker may submit a crafted POST request to the IP camera's Sonia web interface that may lead to out-of-bounds memory operations and loss of availability or remote code execution.","resolution":"Apply update Dahua has released firmware version DH_IPC-ACK-Themis_Eng_P_V2.400.0000.14.R.20170713.bin to address this issue. All affected users should update their firmware as soon as possible. If you have any questions, you may contact cybersecurity@dahuatech.com.","workarounds":"","sysaffected":"","thanks":"Thanks to Ilya Smith of Positive Technologies for reporting this vulnerability.","author":"This document was written by Garret Wassermann.","public":["http://www.dahuasecurity.com/firmware_161.html","http://cwe.mitre.org/data/definitions/121.html"],"cveids":["CVE-2017-3223"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2017-05-31T21:55:29Z","publicdate":"2017-07-18T00:00:00Z","datefirstpublished":"2017-07-18T15:24:24Z","dateupdated":"2017-07-26T16:18:07Z","revision":43,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"7.8","cvss_environmentalscore":"5.86926702432","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}