GeoVision GV-IP Device Utility Insufficient Encryption Vulnerability in Device Authentication

A vulnerability allowing credential leakage through insufficient encryption has been identified in the Device Authentication feature of GeoVision GV-IP Device Utility version 9.0.5. When an admin user interacts with certain GeoVision devices over the network, the utility may send privileged commands that require the device's username and password. Although the credentials are encrypted using a cryptographic protocol resembling Blowfish, the symmetric key for the encryption is included in the same packet. This design flaw allows an attacker on the same local area network to intercept and decrypt the credentials, gaining full control over the device's configuration, including the ability to change its IP address or reset it to factory defaults.

Impact

Exploitation of this vulnerability allows an attacker to intercept and decrypt broadcasted credentials, giving them full control over the affected GeoVision device's configuration.