본문내용 바로가기 메인메뉴 바로가기 푸터 바로가기

Security Advisory

CVE-2020-7879 | ipTIME C200 IP Camera command injection vulnerability2021.11.30
□ Overview
 o EFMNetworks Co.,Ltd released security update to address command injection vulnerability in ipTIME C200 IP Camera.
Vulnerability
Vulnerability Type Impact Severity CVSS Score CVE ID
OS command injection remote command injection High 8.8 CVE-2020-7879

□ Description
 oThis issue was discovered when the ipTIME C200 IP Camera was synchronized with the ipTIME NAS.
 o It is necessary to extract value for ipTIME IP camera because the ipTIME NAS send ans setCookie('[COOKIE]') .
o The value is transferred to the --header option in wget binary, and there is no validation check.
This vulnerability allows remote attackers to execute remote command.

□ Affected Product
Affected Product
Product Version Platform
ipTIME C200 IP camera 1.0.16 N/A

□ Solution
 o Update firmware of ipTIME C200 IP Camera  1.036 version or higher.

□ Reference
 [1] http://iptime.com/iptime/?page_id=126&diffid=&dfsid=19&dftid=541

□ Etc
 o Thanks to Jeongun Baek for reporting this vulnerability.
 


□ 작성 : 침해사고분석단 취약점분석팀