IoT security camera vendor UCam247 has contacted The Register to say most devices in the wild aren't vulnerable to the “single URL pwnage” vulnerability.
Yesterday, we reported that more than 30 cameras from seven vendors had shipped with a modified GoAhead Web server.
Among other things, the modification introduced a simple-to-the-point-of-stupidity pre-authentication buffer overrun: a URL longer than 256 bytes is copied to a 256-character stack.
We contacted all the affected vendors, and to its credit, UCam247's managing director Paresh Morjaria has responded. We provide his full response below:
Thanks for making us aware of the potential bug in the firmware used in both our IP cameras and those of many other brands that sell in the UK.
Our firmware engineers have advised that in their testing the potential exploit is not an issue in firmware version 6.10 and above and should not be a issue.
The vast majority of our customers are now using v6.14 and later but those that are still running firmware older than 6.10 will be contacted to advise them to update the firmware asap.
That said, we have asked our engineers to continue testing this and other related work around exploits that 'may' exist just to ensure the bug is patched for as necessary and fully. A new firmware is due to be released within the next couple of weeks containing some additional functional updates and any new fixes for this exploit will be rolled out in that as a matter of course.
Paresh Morjaria MD, UCam247
And from El Reg, thanks Paresh for keeping an eye on the inbox. ®