CISA has published an alert to inform users of Tyco Illustra cameras about CVE-2021-3156, a critical heap buffer overflow vulnerability on Sudo that could lead to a hacker obtaining administrator access to the underlying Linux OS. Successfully exploiting the flaw is simple as there’s not much complexity involved in the process, and the fact that the affected products are deployed in critical manufacturing fields across the globe is making the situation pretty bad.
The particular flow affects a wide range of products that use the Sudo program, all versions before 1.9.5p2, and this includes several Tyco camera models. Exploiting it requires local access to the devices, which somewhat alleviates the criticality, but it is open to unprivileged users who don’t need to authenticate in order to carry out the attack. Several Linux distributions have already published relevant advisories about this and updated their Sudo to prevent exploitation.
The vulnerable cameras carry the Tyco brand, but they are made by ‘Sensormatic Electronics,’ a subsidiary of Johnson Controls. The models that are affected by the flaw are the following:
Upgrading to the versions indicated above resolves the problem. Unfortunately, all Pro 2 versions are vulnerable, and there will be no fix for the particular model as it has already reached its end of life and is no longer supported by the vendor. In addition to applying the updates, users are advised to restrict physical access to the device to authorized personnel only and ensure that the principles of “least privilege” are followed in the organization.
In general, when using surveillance systems in sensitive environments, following an insider threat prevention strategy is key. Perform frequent risk assessments, apply patches as soon as they come out, use data encryption and MFA wherever possible, actively monitor all access, lock server rooms, document all electronics in the premises, and define access zones with certain privilege tiers.