GeoVision GV-IP Device Utility Insufficient Encryption Vulnerability in Device Authentication

A vulnerability allowing credential leakage through insufficient encryption has been identified in the Device Authentication feature of GeoVision GV-IP Device Utility version 9.0.5. This issue arises when the utility interacts with various GeoVision devices over the network, as it may send privileged commands that require the device's username and password. While the credentials are encrypted using a cryptographic protocol resembling Blowfish, the symmetric key for the encryption is also included in the broadcasted UDP packets. This design flaw allows an attacker on the same local area network to intercept and decrypt the credentials, gaining full control over the device's configuration, including the ability to change its IP address or reset it to factory defaults.

Impact

Exploitation of this vulnerability allows an attacker to intercept and decrypt broadcasted credentials, providing full control over the affected GeoVision device's configuration.

Reproduction

To reproduce this vulnerability, an admin user must interact with a GeoVision device using the GV-IP Device Utility 9.0.5. During this interaction, the utility will broadcast commands over UDP, including the device's username and password. An attacker on the same LAN can listen to this broadcast traffic, intercept the credentials, and decrypt them using a custom implementation of the encryption algorithm, which is derived from Blowfish.