Hello all. This has been out there since April of 2020 but I didn't see any posts here so in the name of information dissemination, I wanted to put it out there.
Although Amcrest cameras have a few acknowledged and unacknowledged security-related flaws that we all seem to put up with for the sake of running cheap IP cameras, they seemed to have made the official Government list of known vulnerabilities with CVE-2020-5735 (buffer overflow and out-of-bounds write issues). This cataloged vulnerability has also made the Cybersecurity & Infrastructure Security Agency's (CISA) list of known exploited vulnerability list as well (Known Exploited Vulnerabilities Catalog | CISA).
For those of us that are running Amcrest anything, if we're segregating and FW blocking this equipment at minimum, then this CVE shouldn't be an big concern (although you should still patch!). And go the extra Cyber Security mile and never expose your cameras/collectors to the internet (directly, port forwarded, or any other scheme that sounds safe).
In most cases, the fixed firmware version is not readily available for download. You must open a support case using your specific model/serial # and they'll provide a download link for your system/cameras. Again, the fixed firmware version is not listed on their website. So if you think you're implementing all the security patches by downloading the most recent firmware from their page (like I was), you are most likely mistaken.
I hope this helps!
Kurt
Reference links:
nvd.nist.gov
www.cisa.gov
cwe.mitre.org
cwe.mitre.org
www.nist.gov
Although Amcrest cameras have a few acknowledged and unacknowledged security-related flaws that we all seem to put up with for the sake of running cheap IP cameras, they seemed to have made the official Government list of known vulnerabilities with CVE-2020-5735 (buffer overflow and out-of-bounds write issues). This cataloged vulnerability has also made the Cybersecurity & Infrastructure Security Agency's (CISA) list of known exploited vulnerability list as well (Known Exploited Vulnerabilities Catalog | CISA).
For those of us that are running Amcrest anything, if we're segregating and FW blocking this equipment at minimum, then this CVE shouldn't be an big concern (although you should still patch!). And go the extra Cyber Security mile and never expose your cameras/collectors to the internet (directly, port forwarded, or any other scheme that sounds safe).
In most cases, the fixed firmware version is not readily available for download. You must open a support case using your specific model/serial # and they'll provide a download link for your system/cameras. Again, the fixed firmware version is not listed on their website. So if you think you're implementing all the security patches by downloading the most recent firmware from their page (like I was), you are most likely mistaken.
I hope this helps!
Kurt
Reference links:
NVD - CVE-2020-5735
nvd.nist.gov
Known Exploited Vulnerabilities Catalog | CISA
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV...
www.cisa.gov
CWE - CWE-787: Out-of-bounds Write (4.15)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
CWE - CWE-121: Stack-based Buffer Overflow (4.15)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
Cybersecurity
NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S.
You have to be ten kinds of stupid to force Joe Public to go out of their way to make a support call. All of this doesn't even address the fact the percentage of people who even go out of their way to update their systems is next to zero.