CVE-2004-2427
CVSS10.0
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:06
NMCO    

[原文]Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to obtain sensitive information via direct requests to (1) admin/getparam.cgi, (2) admin/systemlog.cgi, (3) admin/serverreport.cgi, and (4) admin/paramlist.cgi, modify system information via (5) setparam.cgi and (6) factorydefault.cgi, or (7) cause a denial of service (reboot) via restart.cgi.


[CNNVD]Axis Network Camera与Video Server信息披露和服务拒绝漏洞(CNNVD-200412-409)

        Axis Network Camera 2.40版本和之前版本,以及Video Server 3.12版本和之前版本存在漏洞。远程攻击者可以借助对(1)admin/getparam.cgi、(2)admin/systemlog.cgi、(3)admin/serverreport.cgi和(4)admin/paramlist.cgi的直接请求获得敏感信息,借助(5)setparam.cgi和(6)factorydefault.cgi修改系统信息,或者借助(7)restart.cgi导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/h:axis:2130_ptz_network_camera:2.32Axis Communications AXIS 2130 PTZ Network Camera 2.32
cpe:/h:axis:2401_video_server:2.20Axis Communications AXIS 2401 Video Server 2.20
cpe:/h:axis:storpoint_cdAxis Communications AXIS StorPoint CD
cpe:/h:axis:2400_video_server:2.0Axis Communications AXIS 2400 Video Server 2.0
cpe:/h:axis:2460_network_dvr:3.10Axis Communications AXIS 2460 Network DVR 3.10
cpe:/h:axis:2130_ptz_network_camera:2.34Axis Communications AXIS 2130 PTZ Network Camera 2.34
cpe:/h:axis:2401_video_server:2.30Axis Communications AXIS 2401 Video Server 2.30
cpe:/h:axis:2401_video_server:3.12
cpe:/h:axis:2120_network_camera:2.34Axis Communications AXIS 2120 Network Camera 2.34
cpe:/h:axis:2400_video_server:2.30Axis Communications AXIS 2400 Video Server 2.30
cpe:/h:axis:2110_network_camera:2.41Axis Communications AXIS 2110 Network Camera 2.41
cpe:/h:axis:2401_video_server:1.0_1Axis Communications AXIS 2401 Video Server 1.0 1
cpe:/h:axis:2420_network_camera:2.33Axis Communications AXIS 2420 Network Camera 2.33
cpe:/h:axis:2411_video_server:3.12
cpe:/h:axis:2110_network_camera:2.30Axis Communications AXIS 2110 Network Camera 2.30
cpe:/h:axis:2110_network_camera:2.32Axis Communications AXIS 2110 Network Camera 2.32
cpe:/h:axis:2400_video_server:3.11
cpe:/h:axis:2100_network_camera:2.30Axis Communications AXIS 2100 Network Camera 2.30
cpe:/h:axis:2460_network_dvrAxis Communications AXIS 2460 Network DVR
cpe:/h:axis:2400_video_server:2.20Axis Communications AXIS 2400 Video Server 2.20
cpe:/h:axis:2420_network_camera:2.12Axis Communications AXIS 2420 Network Camera 2.12
cpe:/h:axis:2120_network_camera:2.31Axis Communications AXIS 2120 Network Camera 2.31
cpe:/h:axis:2400_video_server:2.32Axis Communications AXIS 2400 Video Server 2.32
cpe:/h:axis:2401_video_server:1.15Axis Communications AXIS 2401 Video Server 1.15
cpe:/h:axis:2411_video_server:3.13
cpe:/h:axis:2130_ptz_network_camera:2.31Axis Communications AXIS 2130 PTZ Network Camera 2.31
cpe:/h:axis:230_mpeg2_video_server:3.11
cpe:/h:axis:2400_video_server:1.10Axis Communications AXIS 2400 Video Server 1.10
cpe:/h:axis:250s_video_server:3.10Axis Communications AXIS 250S MPEG2 Video Server 3.10
cpe:/h:axis:2420_network_camera:2.41Axis Communications AXIS 2420 Network Camera 2.41
cpe:/h:axis:2110_network_camera:2.34Axis Communications AXIS 2110 Network Camera 2.34
cpe:/h:axis:2100_network_camera:2.32Axis Communications AXIS 2100 Network Camera 2.32
cpe:/h:axis:2420_video_server:2.34Axis Communications AXIS 2420 Video Server 2.34
cpe:/h:axis:2420_network_camera:2.30Axis Communications AXIS 2420 Network Camera 2.30
cpe:/h:axis:250s_video_server:3.03Axis Communications AXIS 250S Video Server 3.03
cpe:/h:axis:2120_network_camera:2.41Axis Communications AXIS 2120 Network Camera 2.41
cpe:/h:axis:2400_video_server:2.34Axis Communications AXIS 2400 Video Server 2.34
cpe:/h:axis:2490_serial_server:2.11.3Axis Communications AXIS 2490 Serial Server 2.11.3
cpe:/h:axis:2401_video_server:2.34Axis Communications AXIS 2401 Video Server 2.34
cpe:/h:axis:2100_network_camera:2.40Axis Communications AXIS 2100 Network Camera 2.40
cpe:/h:axis:2110_network_camera:2.12Axis Communications AXIS 2110 Network Camera 2.12
cpe:/h:axis:2420_video_server:2.32Axis Communications AXIS 2420 Video Server 2.32
cpe:/h:axis:2401_video_server:2.32Axis Communications AXIS 2401 Video Server 2.32
cpe:/h:axis:2100_network_camera:2.12Axis Communications AXIS 2100 Network Camera 2.12
cpe:/h:axis:2100_network_camera:2.31Axis Communications AXIS 2100 Network Camera 2.31
cpe:/h:axis:2420_network_camera:2.40Axis Communications AXIS 2420 Network Camera 2.40
cpe:/h:axis:2120_network_camera:2.30Axis Communications AXIS 2120 Network Camera 2.30
cpe:/h:axis:2100_network_camera:2.41Axis Communications AXIS 2100 Network Camera 2.41
cpe:/h:axis:2460_network_dvr:3.11Axis Communications AXIS 2460 Network DVR 3.11
cpe:/h:axis:2420_network_camera:2.32Axis Communications AXIS 2420 Network Camera 2.32
cpe:/h:axis:2130_ptz_network_camera:2.30Axis Communications AXIS 2130 PTZ Network Camera 2.30
cpe:/h:axis:2400_video_server:1.12Axis Communications AXIS 2400 Video Server 1.12
cpe:/h:axis:2400_video_server:1.1Axis Communications AXIS 2400 Video Server 1.1
cpe:/h:axis:2100_network_camera:2.33Axis Communications AXIS 2100 Network Camera 2.33
cpe:/h:axis:2400_video_server:2.31Axis Communications AXIS 2400 Video Server 2.31
cpe:/h:axis:2400_video_server:3.12
cpe:/h:axis:2400_video_server:1.15Axis Communications AXIS 2400 Video Server 1.15
cpe:/h:axis:2400_video_server:1.2Axis Communications AXIS 2400 Video Server 1.2
cpe:/h:axis:2400_video_server:2.33Axis Communications AXIS 2400 Video Server 2.33
cpe:/h:axis:2420_network_camera:2.31Axis Communications AXIS 2420 Network Camera 2.31
cpe:/h:axis:2130_ptz_network_camera:2.40Axis Communications AXIS 2130 PTZ Network Camera 2.40
cpe:/h:axis:2100_network_camera:2.34Axis Communications AXIS 2100 Network Camera 2.34
cpe:/h:axis:2420_network_camera:2.34Axis Communications AXIS 2420 Network Camera 2.34
cpe:/h:axis:2401_video_server:2.31Axis Communications AXIS 2401 Video Server 2.31
cpe:/h:axis:2400_video_server:1.11Axis Communications AXIS 2400 Video Server 1.11
cpe:/h:axis:2120_network_camera:2.32Axis Communications AXIS 2120 Network Camera 2.32
cpe:/h:axis:2110_network_camera:2.31Axis Communications AXIS 2110 Network Camera 2.31
cpe:/h:axis:2401_video_server:2.33Axis Communications AXIS 2401 Video Server 2.33
cpe:/h:axis:250s_video_serverAxis Communications AXIS 250S Video Server
cpe:/h:axis:2490_serial_serverAxis Communications AXIS 2490 Serial Server
cpe:/h:axis:2110_network_camera:2.40Axis Communications AXIS 2110 Network Camera 2.40
cpe:/h:axis:2401_video_server:3.13
cpe:/h:axis:2120_network_camera:2.40Axis Communications AXIS 2120 Network Camera 2.40
cpe:/h:axis:2120_network_camera:2.12Axis Communications AXIS 2120 Network Camera 2.12

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2427
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2427
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-409
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/9130
(PATCH)  OSVDB  9130
http://www.osvdb.org/9129
(UNKNOWN)  OSVDB  9129
http://www.osvdb.org/9128
(UNKNOWN)  OSVDB  9128
http://www.osvdb.org/9127
(UNKNOWN)  OSVDB  9127
http://www.osvdb.org/9126
(UNKNOWN)  OSVDB  9126
http://www.osvdb.org/9125
(UNKNOWN)  OSVDB  9125
http://www.osvdb.org/9123
(UNKNOWN)  OSVDB  9123
http://securitytracker.com/id?1011056
(UNKNOWN)  SECTRACK  1011056
http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0948.html
(UNKNOWN)  FULLDISC  20040822 [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers

- 漏洞信息

Axis Network Camera与Video Server信息披露和服务拒绝漏洞
危急 未知
2004-12-31 00:00:00 2007-01-24 00:00:00
远程  
        Axis Network Camera 2.40版本和之前版本,以及Video Server 3.12版本和之前版本存在漏洞。远程攻击者可以借助对(1)admin/getparam.cgi、(2)admin/systemlog.cgi、(3)admin/serverreport.cgi和(4)admin/paramlist.cgi的直接请求获得敏感信息,借助(5)setparam.cgi和(6)factorydefault.cgi修改系统信息,或者借助(7)restart.cgi导致服务拒绝。

- 公告与补丁

        

- 漏洞信息

9123
Axis Network Camera/Video Server getparam.cgi Information Disclosure
Remote / Network Access Information Disclosure, Misconfiguration
Loss of Confidentiality
Exploit Public

- 漏洞描述

Axis Network Camera and Video Server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a remote attacker requests the getparam.cgi script, which does not require authentication. This may disclose sensitive system parameters resulting in a loss of confidentiality.

- 时间线

2004-08-22 2004-08-16
2004-08-22 Unknow

- 解决方案

Upgrade to firmware version 2.42 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: restrict remote access to administrative interface scripts.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站