Smart cameras with enhanced connectivity, communication and analytics capabilities are widely used for several purposes, including distributed situational awareness and physical security. Combining traditional video recording with advanced software features, these devices allow for the implementation of advanced use-cases such as facial recognition, real-time environmental monitoring, motion detection and license plate verification. Recently, Nozomi Networks Labs performed a security research activity focused on the License Plate Verifier software product offered by Axis Communications.
Axis Communications is a leader in the sector of security cameras dedicated to a wide range of industries such as aviation, smart cities, healthcare etc. Their products include network cameras, wearable systems, access control systems, and more. They also have a solution that enables compatible devices to implement access control rules based on license plate recognition. Ideally, the solution can be used to enforce automatic access control on restricted outdoor areas or limited traffic zones, similar to badge scanning and facial recognition for building access controls.
Nozomi Networks Labs had the opportunity to analyze the License Plate Verifier application software on an Axis security camera model P3245-LVE-3, however, the software can be installed to a wider range of Axis devices. In this blog, we disclose six vulnerabilities that affect the License Plate Verifier application version 2.7.1 (latest release at the time of the analysis) installed on all compatible Axis devices. These issues could allow an attacker to exfiltrate credentials to access additional systems, elevating privileges to reach forbidden functionalities and gain arbitrary code execution with full privileges on the device. Nozomi Networks Labs notified the vendor in May 2023, and they responded by sharing additional details together and a timeline for updating the License Plate Verifier application.
The Axis Security Bulletin dated 01/08/23 notifies users and gives instructions to update the affected application to a newer version.
Axis Web Interface: Background Information
Each Axis camera can be managed through a dedicated web interface running on the Linux-based device, allowing the user to configure many different settings, including network or security settings, and users and credentials. For security purposes, users with access to the web interface are divided into three groups:
- Administrators: Full access to the system and its settings.
- Operators: Full access to the system and its settings except for user creation and some other specific limitations.
- Viewers: Very limited access to the system. By toggling a specific option, viewers can be set as guests, requiring no authentication.
The License Plate Verifier is an additional web application that can be installed on compatible devices through the Axis main web interface running on the device camera. On some specific Axis products this is installed by default. The application allows the creation of customized access rules based on the recognition of license plates detected on cars that transit through the monitored area. Additionally, multiple cameras can be linked together to share the same access control rules on different monitored areas.
Additionally, multiple cameras can be linked together to share the same access control rules for multiple monitored areas. This functionality called “camera synchronization” requires the insertion of the camera’s ip address to be linked, together with a username and password valid for each camera to be synchronized. The credentials are required to correctly authenticate the cameras that the user wants to synchronize, and they need to belong at least to the Operator group in order to authenticate correctly.
Vulnerability Analysis: Axis License Plate Verifier 2.7.1
While analyzing the License Plate Verifier web application version 2.7.1 from Axis Communications, we found six distinct vulnerabilities, as listed below:
- CVE-2023-21407: Broken access control (CWE-284), CVSS 3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- CVE-2023-21408: Unsafe credentials handling (CWE-732, CWE-256), CVSS 3.1 Base Score: 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2023-21409: Unsafe credentials handling (CWE-732, CWE-256), CVSS 3.1 Base Score: 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2023-21410: Improper Neutralization of Special Elements (‘Command Injection’) (CWE-78), CVSS 3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
- CVE-2023-21411: Improper Neutralization of Special Elements (‘Command Injection’) (CWE-78), CVSS 3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
- CVE-2023-21412: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89), CVSS 3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
The most impactful vulnerabilities are CVE-2023-21408, CVE-2023-21410 and CVE-2023-21412 since these issues can be chained together to allow an attacker with limited viewer privileges to execute arbitrary code as ‘root’ user on the Axis camera hosting the License Plate Verifier application.
CVE-2023-21412: This vulnerability allows an attacker with general viewer privileges for one camera to extract the authentication credentials of a synchronized system (via the “camera synchronization” feature) through an SQL injection attack in the web interface. This allows a general viewer of one camera to ultimately gain access to a new device and to escalate their privileges to those of an operator.
CVE-2023-21408, CVE-2023-21410: These two vulnerabilities are command injections exploitable by a user authenticated with an operator account, allowing the attacker to execute arbitrary code on the device with ‘root’ privileges.
If at least two cameras are synchronized with the dedicated “camera synchronization” capability offered by the License Plate Verifier application, by chaining CVE-2023-21412 with one between CVE-2023-21408 or CVE-2023-21410 an attacker with a low privileged viewer account could extract a set of valid credentials to escalate their privileges to operator, subsequently executing arbitrary code with ‘root’ privileges on one of the connected Axis cameras.
In addition, viewer access can be set as anonymous by toggling a specific option (not enabled by default), requiring no authentication to visit the web interface as a general viewer. This would eventually allow the described attack vector to be exploited by a completely unauthenticated attacker regardless of assigned user group access.
We recommend that asset owners quickly upgrade the License Plate Verifier application described in the Axis Security Bulletin dated 01/08/2023 to prevent any abuse of their systems by unauthorized threat actors. The updated License Plate Verifier application can be manually installed by downloading the latest version from the official Axis Communications webpage or automatically by upgrading the device firmware to the latest release.
Smart cameras nowadays are widely used for physical security purposes to protect sensitive and restricted areas and locations. The ability to combine traditional video recording with smart sensors, processing, and input/output analytics capabilities makes them a perfect solution to automate and implement widely distributed access control rules with a high level of precision.
In this article we disclosed six vulnerabilities impacting the Axis License Plate Verifier application that could result in unauthorized access, privilege escalation and arbitrary code execution on all supported Axis security camera devices. We urge asset owners to apply the available software upgrade for the License Plate Verifier application to prevent adversaries from exploiting these vulnerabilities.
We at Nozomi Networks Labs are honored to contribute to making critical OT and IoT infrastructure more reliable day by day. In addition to providing remediation for the disclosed vulnerabilities for their devices, the Axis Communications team provided their appreciation in the quote below, stating:
“We thank Nozomi Networks for their excellent research and good collaboration throughout the disclosure process. It is the second time after some work in 2021 that we had the pleasure now to work together with Nozomi Networks and benefited from their expertise. Axis Communications welcomes security researchers and ethical hackers to inspect our products and applications as it is our belief that long-term sustainable cyber security is created through collaboration and transparency.”
– Andre Bastert, Axis Product Security Team