CVE-2021-3793

Vulnerability

An improper access control vulnerability exists in some Motorola-branded Binatone Hubble Cameras [1]. The device fails to properly enforce authentication on administrative web pages, allowing an unauthenticated attacker on the same network to access these pages. The affected versions are not specified in the available reference, but the advisory covers multiple camera models.

Exploitation

An attacker needs to be on the same local network as the vulnerable camera and does not require any authentication. By sending HTTP requests to the camera's administrative interface, the attacker can access pages that should be restricted. No user interaction or special privileges are needed.

Impact

Successful exploitation can lead to information disclosure, such as sensitive device configuration or credentials, or allow the attacker to trigger a firmware update using a verified firmware image. The advisory also lists privilege escalation and denial of service as potential impacts for the broader set of vulnerabilities, but for this specific CVE, the primary outcomes are information disclosure and unauthorized firmware update.

Mitigation

As of the publication date (2021-11-12), no specific firmware fix or workaround has been disclosed in the available reference [1]. Users are advised to monitor the vendor's security advisory page for updates. The device may be end-of-life; consult Binatone for support.