A vulnerability (referred to as Devil's Ivy) was discovered in a web service used by Axis IP-based cameras, which are used in Axon Interview deployments. This vulnerability can result in attackers gaining access to the IP cameras, with the ability to cause a camera to function in an undesired manner. This can manifest as one of the following ways:
- Disruption of the video streaming and recording.
- Execution of arbitrary functions, such as an attack on other devices or extraction of video information.
- Inability to access or control cameras, due to reset of management credentials.
No specific condition or operation is required to trigger the vulnerability. The overall risk is reduced, while still present, if the IP cameras are installed behind a firewall or on an isolated network without access to the Internet. An attacker must have network access to the camera to exploit the vulnerability. Cameras that are exposed and accessible from the Internet are at a much higher risk and require more immediate attention.
Scope of Impact
A number of Axis IP-based cameras are affected by this vulnerability. This includes the AXIS® F41 and AXIS P3364 cameras that are commonly installed by Axon. Devices that are NOT affected include cameras with firmware version 4.x.x or earlier, or AXIS P7701 and AXIS P8221 model cameras. A complete list of the camera models affected can be found in the Axis Security Advisory document.
Note: Only the third-party cameras used by Axon Interview are impacted by this vulnerability. The Axon Interview and Evidence.com products are not impacted and do not require any additional actions.
A firmware fix for the vulnerability is currently available. All impacted cameras should be updated to the latest firmware version as soon as possible. If your agency's Axon Interview deployment contains of any of the affected cameras, you should pursue one of the following update options:
- Axon Supported Update: Axon is available to perform the camera firmware updates, should your agency desire. To pursue this option, please contact Axon Customer Service at CS@axon.com to schedule an update. This update will require temporary access to the agency network and will take each camera offline for approximately 10 minutes. The total time required to perform the updates depends on the number of cameras at your agency.
- Self-Supported Update: If your agency's IT department is comfortable performing the update themselves, the latest firmware version for the cameras can be downloaded at: https://www.axis.com/support/firmware. This will require registration through Axis and knowledge of the specific camera models deployed. The AXIS Camera Management application for Microsoft Windows may be downloaded to simplify and automate the firmware update process. The AXIS Camera Management application can be downloaded from the Axis website at: https://www.axis.com/products/axis-camera-management. Should your agency wish to perform the update manually, Axon Customer Service can provide detailed instructions.
Note: Both update processes will force an immediate reboot of the camera. To prevent loss of video footage, ensure there are no active recording sessions in progress prior to updating the firmware.
Streaming Service Security Vulnerability
A vulnerability was reported by Wowza Media Systems, who provides third-party software used by Axon Interview for processing the video streams from the IP cameras. These potential vulnerabilities could be exploited by a third-party to negatively impact the video stream or allow unintended access to the server.
No specific condition or operation is required to trigger the vulnerability. The overall risk is reduced, while still present, if the servers are installed behind a firewall or on an isolated network without access to the Internet. An attacker must have network access to the server to exploit the vulnerability. Servers that are exposed and accessible from the Internet are at a much higher risk and require more immediate attention.
Scope of Impact
All instances of Axon Interview v3.6.8 and earlier have the potential to be impacted by this vulnerability and require a software patch to address the issue. For specifics regarding the low-level details of the vulnerability, please contact the Wowza support team at email@example.com. Please also note that this vulnerability has no impact on Evidence.com or the storage of evidentiary information.
A software patch for the vulnerability is currently available. This patch is provided by Axon in the form of an executable file that will automatically install the software patch and restart the Axon Interview services upon completion. To obtain the patch, please please contact Axon Customer Service at CS@axon.com. The patch can be applied by right clicking on the included BAT file and selecting “Run as Administrator”.
Note: The update process will cause recording and viewing capabilities to be temporarily disrupted. The overall length of disruption is dependent upon the total number of cameras, which downtime scaling at a rate of 30 seconds per camera. To prevent loss of video footage, ensure there are no active recording sessions in progress prior to patching the software.