CVE-2023-34552

Vulnerability

Stack-based buffer overflows exist in the mulicast_parse_sadp_packet and mulicast_get_pack_type functions of the SADP multicast protocol in multiple EZVIZ camera models. Affected firmware versions include CS-C6N-B0-1G2WF before V5.3.0 build 230215, CS-C6N-R101-1G2WF before V5.3.0 build 230215, CS-CV310-A0-1B2WFR before V5.3.0 build 230221, CS-CV310-A0-1C2WFR-C before V5.3.2 build 230221, CS-C6N-A0-1C2WFR-MUL before V5.3.2 build 230218, CS-CV310-A0-3C2WFRL-1080p before V5.2.7 build 230302, CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p before V5.3.2 build 230214, CS-CV248-A0-32WMFR before V5.2.3 build 230217, and EZVIZ LC1C before V5.3.4 build 230214. [2]

Exploitation

An unauthenticated attacker on the same local network as the affected camera can send specially crafted multicast packets to trigger the buffer overflows. No authentication or user interaction is required. The attacker must be able to reach the camera's multicast listener on the local network segment.

Impact

Successful exploitation allows remote code execution on the camera. The attacker gains full control over the device, potentially enabling surveillance, data exfiltration, or use as a pivot point within the network.

Mitigation

EZVIZ has released firmware updates to address these vulnerabilities. Users should update to the latest firmware versions as specified: for CS-C6N-B0-1G2WF and CS-C6N-R101-1G2WF to V5.3.0 build 230215 or later; for CS-CV310-A0-1B2WFR to V5.3.0 build 230221 or later; for CS-CV310-A0-1C2WFR-C to V5.3.2 build 230221 or later; for CS-C6N-A0-1C2WFR-MUL to V5.3.2 build 230218 or later; for CS-CV310-A0-3C2WFRL-1080p to V5.2.7 build 230302 or later; for CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p to V5.3.2 build 230214 or later; for CS-CV248-A0-32WMFR to V5.2.3 build 230217 or later; and for EZVIZ LC1C to V5.3.4 build 230214 or later. [2] No workarounds are documented; network segmentation may reduce exposure.