Xiongmai XM530 IP Cameras Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Xiongmai XM530 IP cameras running ONVIF firmware version V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. This vulnerability allows unauthenticated remote attackers to access sensitive device information and live video streams. The issue arises because the ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized access to video streams and other sensitive data.

Impact

Exploitation of this vulnerability allows unauthorized remote access to live video and audio streams, complete device configuration, user account information and credentials, PTZ (Pan-Tilt-Zoom) control, relay output manipulation, and network reconnaissance. This vulnerability also violates privacy regulations, enabling mass surveillance operations.

Reproduction

The vulnerability can be reproduced by sending unauthenticated SOAP requests to the camera's ONVIF device service endpoint. This can be done using tools like curl, without the need for authentication credentials. The request can include commands to access device information, video stream URIs, network configuration, and other sensitive data through the vulnerable ONVIF endpoints.

Remediation

Users are advised to isolate the cameras on a separate VLAN without internet access, block inbound connections to common ports used by the cameras, disable the ONVIF protocol if possible, and avoid exposing the cameras directly to the internet. Given the vendor's poor security history, replacement of the cameras is recommended. The vendor should implement proper WS-Security authentication on all ONVIF endpoints, follow ONVIF Core Specification security requirements, add rate limiting and brute force protection, and enable security logging and alerts. However, no patch is currently available.