CVE-2017-8227
CVE-2017-8227 is a critical-severity vulnerability in Amcrest Ipm-721s Firmware with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-254.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 5.0
- EPSS exploit prediction: 4% (90th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-254
- Affected product: Amcrest Ipm-721s Firmware
- Published:
- Last modified:
Description
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout policy to wait for 5 minutes in case 30 incorrect password attempts are detected using the Web and HTTP API interface provided by the device. However, if the same brute force attempt is performed using the ONVIF specification (which is supported by the same binary) then there is no account lockout or timeout executed. This can allow an attacker to circumvent the account protection mechanism and brute force the credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that performs the credential check in the binary for the ONVIF specification. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function at address 00671618 in IDA pro is parses the WSSE security token header. The sub_ 603D8 then performs the authentication check and if it is incorrect passes to the function sub_59F4C which prints the value "Sender not authorized."
Frequently asked questions
- What is CVE-2017-8227?
- Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout policy to wait for 5 minutes in case 30 incorrect password attempts are detected using the Web and HTTP API interface provided by the device. However, if the same brute force attempt is performed using the ONVIF specification (which is supported by the same binary) then there is no account lockout or timeout executed. This can allow an attacker to circumvent the account protection mechanism and brute force the credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that performs the credential check in the binary for the ONVIF specification. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function at address 00671618 in IDA pro is parses the WSSE security token header. The sub_ 603D8 then performs the authentication check and if it is incorrect passes to the function sub_59F4C which prints the value "Sender not authorized."
- How severe is CVE-2017-8227?
- CVE-2017-8227 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-8227 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 4% (90th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2017-8227?
- CVE-2017-8227 affects Amcrest Ipm-721s Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2017-8227?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2017-8227 published?
- CVE-2017-8227 was published on 2019-07-03 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html
- https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf
- https://seclists.org/bugtraq/2019/Jun/8
Affected products (1)
- cpe:2.3:o:amcrest:ipm-721s_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Amcrest Ipm-721s Firmware
- CVE-2017-8229 — Critical (CVSS 9.8): Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative…
- CVE-2017-8226 — Critical (CVSS 9.8): Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default credentials that are hardcoded in the firmware and can…
- CVE-2017-13719 — Critical (CVSS 9.8): The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various…
- CVE-2017-8230 — High (CVSS 8.8): On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on the device are divided into 2 groups "admin" and…
- CVE-2017-8228 — High (CVSS 8.8): Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots within the past two hours. Amcrest cloud services…
All CVEs affecting Amcrest Ipm-721s Firmware →
Other CWE-254 vulnerabilities
- CVE-2016-5788 — Critical (CVSS 10.0): General Electric (GE) Bently Nevada 3500/22M USB with firmware before 5.0 and Bently Nevada 3500/22M Serial have open…
- CVE-2015-3972 — Critical (CVSS 10.0): The web interface on Janitza UMG 508, 509, 511, 604, and 605 devices supports only short PIN values for authentication,…
- CVE-2015-1158 — Critical (CVSS 10.0): The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for…
- CVE-2019-15149 — Critical (CVSS 9.8): core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a…
- CVE-2016-9568 — Critical (CVSS 9.8): A security design issue can allow an unprivileged user to interact with the Carbon Black Sensor and perform…
- CVE-2011-4889 — Critical (CVSS 9.8): The javax.naming.directory.AttributeInUseException class in the Virtual Member Manager in IBM WebSphere Application…