Cybersecurity resources

Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found 2 flaws in AXIS OS:
CVE-2024-0067 (CVSSv3.1: 4.3 Medium) affecting AXIS OS 8.40 - 11.10. The VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device.
CVE-2024-6509 (CVSSv3.1: 6.5 Medium) affecting AXIS OS 6.50 - 11.11. The VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device.

Axis has released patches for these flaws on the LTS 2024 11.11, LTS 2022 10.12, LTS 2020 9.80, LTS 2020 9.80 tracks and the (former LTS) 8.40 and 6.50 tracks for products still under AXIS OS software support.

51l3nc3, member of the AXIS OS Bug Bounty Program, has found 1 flaw in AXIS OS:
CVE-2024-6173 (CVSSv3.1: 6.5 Medium) affecting AXIS OS 6.50 - 11.10. A Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device.

Axis has released patches for this flaw on the LTS 2024 11.11, LTS 2022 10.12, LTS 2020 9.80, LTS 2020 9.80 tracks and the (former LTS) 8.40 and 6.50 tracks for products still under AXIS OS software support.

Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found 1 flaw in AXIS OS:
CVE-2024-6979 (CVSSv3.1: 6.8 Medium) affecting AXIS OS 11.11. A broken access control allowed to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts.

Axis has released patches for this flaw on the LTS 2024 11.11 track.

During internal ASDM threat-modelling, Axis has found 1 flaw in AXIS OS:
CVE-2024-7784 (CVSSv3.1: 6.1 Medium) affecting Axis ARTPEC-8 products running AXIS OS 10.9 - 11.11, Axis i.MX8 QP products running AXIS OS 11.11, Axis i.MX6 SX, i.MX6 ULL products running AXIS OS 10.10 - 11.11, Axis i.MX8M Mini, and i.MX8M Nano UL products running AXIS OS 11.8 - 11.1. The flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis’ knowledge, no known exploits exist publicly as of today and Axis is not aware that this has been exploited.

Axis has released patches for this flaw on the 12.0 Active Track, LTS 2024 11.11 and LTS 2022 10.12 tracks. For security reasons, that patch then will enforce also downgrade restrictions meaning that the product can only be downgraded to the latest version of the LTS 2024 11.11 or LTS 2022 10.12 track, if the product has support for it. Other older or intermediate AXIS OS versions will not be accepted by the product from there on.

Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found a flaw (CVE-2024-0066 - CVSSv3.1: 5.3 Medium) in a O3C feature that may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. 

Axis has released a patch for this flaw on the 11.10 Active Track, LTS 2022 10.12, LTS 2020 9.80 and the (former LTS) 8.40 and 6.50 tracks as well as the 5.51 software track for products still under AXIS OS software support.

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found 2 flaws in AXIS OS:

CVE-2024-0054 (CVSSv3.1: 6.5 Medium) affecting AXIS OS 6.50 - 11.8. The VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack

CVE-2024-0055 (CVSSv3.1: 6.5 Medium) affecting AXIS OS 10.12 - 11.8. The VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack.

Axis has released patches for these flaws on the 11.9 Active Track, LTS 2022 10.12, LTS 2020 9.80, LTS 2020 9.80 and the (former LTS) 8.40 and 6.50 tracks for products still under AXIS OS software support.

Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw (CVSSv3.1: 6.3 Medium - CVE-2023-5677) can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patches for this flaw on the 5.51 software track for products still under software support.

Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw (CVSSv3.1: 5.4 Medium - CVE-2023-5800) can only be exploited after authenticating with an operator- or administrator-privileged service account. 

Axis has released patches for these flaws on the 11.8 Active Track, LTS 2022 10.12, LTS 2020 9.80 and the (former LTS) 8.40 and 6.50 tracks for products still under AXIS OS software support.

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found 3 flaws in AXIS OS: 
CVE-2023-21416 (CVSSv3.1: 7.1 High) affecting AXIS OS 10.12 - 11.6. The Axis VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal.

CVE-2023-21417 (CVSSv3.1: 7.1 High) affecting AXIS OS 8.50 - 11.6. The VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. 

CVE-2023-21418 (CVSSv3.1: 7.1 High) affecting AXIS OS 6.50 - 11.6. The VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. 

Axis has released patches for these 3 flaws on the AXIS OS 11.7 Active Track, LTS 2022 10.12, LTS 2020 9.80, LTS 2018 8.40 and the (former) LTS 6.50 track for products still under AXIS OS software support.

During internal ASDM threat-modelling a flaw (CVSSv3.1: 7.6 High - CVE-2023-5553) was found in the protection for device tampering (commonly known as Secure Boot) on ARTPEC-8 products running AXIS OS 10.8 – 11.5 which provides an opportunity for a sophisticated attack to bypass this protection. Axis has released patched versions on the AXIS OS 11.7 Active Track and AXIS OS 10.12 LTS track.

GoSecure on behalf of Genetec Inc. has found a flaw (CVSSv3.1: 9.1 Critical - CVE-2023-21413) in AXIS OS 10.5 – 11.5 that allowed for a remote code execution during the installation of ACAP applications on the Axis device. The application handling service in AXIS OS was vulnerable to command injection allowing an attacker to run arbitrary code. Axis has released patched versions on the AXIS OS 10.12 LTS and the 11.6 software track.

NCC Group has found a flaw (CVSSv3.1: 7.1 High - CVE-2023-21414) during the annual internal penetration test ordered by Axis Communications. For AXIS A8207-VE Mk II, AXIS Q3527-LVE and all ARTPEC-8 products, the protection for device tampering (commonly known as Secure Boot) in AXIS OS 10.11 – 11.5 contains a flaw which provides an opportunity for a sophisticated attack to bypass this protection. Axis has released patched versions on the AXIS OS 10.12 LTS and the 11.6 software track. 

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi was vulnerable to path traversal attacks that allows for file deletion in AXIS OS 6.50 – 11.5 (CVSSv3.1: 6.5 Medium - CVE-2023-21415). Axis has released patched versions on the 11.6 Active Track, LTS 2022 10.12, LTS 2020 9.80, LTS 2018 8.40 and the (former) LTS 6.50 track for products still under AXIS OS software support.

Diego Giubertoni from Nozomi Networks Inc. has found multiple flaws (CVSSv3.1: High - CVE-2023-21407, CVE-2023-21408, CVE-2023-21409, CVE-2023-21410, CVE-2023-21411, CVE-2023-21412) in the AXIS License Plate Verifier ACAP application. Axis has released a patched version of AXIS License Plate Verifier (2.8.4). Pre-installed versions of AXIS License Plate Verifier for kit cameras are updated on the AXIS OS 10.12 LTS and 11.5 track.

Knud from Fraktal.fi has found a flaw in some Axis Network Door Controllers and Axis Network Intercoms when communicating over OSDP (CVE-2023-21405), highlighting that the OSDP message parser crashes the pacsiod process, causing a temporary unavailability of the door-controlling functionalities. Axis has released a patched version for affected devices that increases the robustness of the OSDP message parser and patches the highlighted flaw.

Ariel Harush and Roy Hodir from OTORIO have found a flaw in the AXIS A1001 when communicating over OSDP (CVE-2023-21406). A heap-based buffer overflow was found in the pacsiod process which is handling the OSDP communication allowing to write outside of the allocated buffer. Axis has released a patched version for affected devices that increases the robustness of the OSDP message parser and patches the highlighted flaw.

Alexander Pick, member of the AXIS OS Bug Bounty Program, has found a flaw in AXIS OS 11.0.X - 11.3.x (CVE-2023-21404) that does not follow Axis secure development best practices. A static RSA key was used to encrypt Axis-specific source code in legacy LUA-components.

Statement from Axis Communications on the discovered BOA webserver vulnerabilities (CVE-2017-9833 and CVE-2021-33558). Axis has been using the BOA webserver in its legacy products from firmware 5.65 and lower. However, these products are not affected as the required 3rd party components[1] for exploiting the vulnerabilities are not used in Axis products. In addition to that, further protection is provided by performing input validation on API-interfaces. Newer Axis products with firmware 5.70 and higher utilize the Apache webserver and the BOA webserver was therefore removed.

[1] backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, config.js and /cgi-bin/wapopen are not used

Statement from Axis Communications on the uClibc DNS vulnerability discovered by Nozomi Networks (CVE-2021-43523, CVE-2022-30295). Axis has not incorporated the uClibc package since 2010 in Axis products, software and services. To date, no active selling or discontinued Axis product that is still under hardware or software support is therefore affected by this vulnerability except for the AXIS P7701 Video Decoder. We are currently awaiting the availability of an upstream patch to be available to judge if we can provide a service release that patches this vulnerability.

Axis acknowledges the importance and hard work performed by independent researchers and companies and therefore lists outstanding contributors in our new Product Security Hall of Fame.

An updated version of the AXIS OS Hardening Guide as well as a all-new hardening guide for AXIS Camera Station System has been released.

The Axis Security Team has updated the vulnerability management policy for products, software and services aiming to provide a more detailed and comprehensive vulnerability management process. The Axis Security Notification Service will be used from now on to inform on regular bases not only about Axis vulnerabilities but also 3rd party open-source components such as Apache, OpenSSL and others used in Axis products, software and services.