Apeman ID71 ONVIF Service Missing Authentication Vulnerability

A vulnerability exists in the Apeman ID71 camera running firmware version 218.53.203.117. The issue lies within the ONVIF service, specifically the '/onvif/device_service' endpoint, which is exposed on port 10080. This vulnerability allows for missing authentication, enabling an unauthenticated attacker on the same network to access the RTSP URI for the camera's live video stream. The exploitation of this vulnerability does not require any credentials and can be performed remotely.

Impact

Exploitation of this vulnerability leads to unauthorized access to the camera's live video feed via RTSP, without the need for authentication. This could result in the exposure of sensitive information, such as personal privacy or security details, depending on the camera's location and usage.

Reproduction

To reproduce this vulnerability, send a SOAP POST request to the '/onvif/device_service' endpoint without authentication. This can be done using a tool like curl, with the appropriate headers and SOAP envelope to request media profiles. Once the profiles are retrieved, the RTSP URI for the live stream can be obtained by sending another SOAP request using the profile token. The retrieved RTSP URI can then be opened in a media player, such as VLC, to view the live stream.

Remediation

It is recommended to require authentication for ONVIF media and device services, enforce credentials on RTSP streaming endpoints, and restrict access through network ACLs or VLAN segmentation. If ONVIF is not needed, it should be disabled or limited to trusted management hosts. Users should also check for available firmware updates that address this vulnerability.