Executive Summary

The MERCURY MIPC252W IP camera firmware version 1.0.5 Build 230306 Rel.79931n has an improper authentication vulnerability in its RTSP service. After a user successfully authenticates using Digest authentication during the initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session.

This means that RTSP methods like SETUP, PLAY, and TEARDOWN can be executed even if the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier match those of a previously authenticated session.

An attacker with network access can reuse session parameters to issue unauthorized RTSP control commands without needing to compute a valid Digest response, effectively bypassing per-request authentication checks after the initial authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with network access to hijack an authenticated RTSP session and send unauthorized RTSP control commands such as SETUP, PLAY, and TEARDOWN.

While the impact is limited and does not affect confidentiality or availability, it compromises the security of the RTSP authentication mechanism by allowing unauthorized control over the camera's streaming functions.

The attacker can control media streaming commands without needing to re-authenticate properly, which could lead to unauthorized monitoring or disruption of video streams.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring RTSP traffic for sessions where subsequent RTSP requests (such as SETUP, PLAY, TEARDOWN) are accepted despite having empty or invalid Digest response parameters in the Authorization header after an initial successful Digest authentication.

A proof-of-concept (PoC) script demonstrates detection by performing the following steps:

• Send an unauthenticated DESCRIBE request to obtain the server nonce.
• Complete a valid Digest authentication with a second DESCRIBE request.
• Send SETUP, PLAY, and TEARDOWN requests with empty Digest response parameters in the Authorization header.
• Check if these requests are accepted and processed despite invalid authentication parameters.

Network monitoring tools like Wireshark can be used to capture and analyze RTSP traffic to observe this behavior.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting network access to the RTSP service to trusted users only, as the vulnerability requires local network access.

Additionally, monitor RTSP sessions for suspicious activity such as unauthorized RTSP commands being accepted without proper authentication.

If possible, disable the RTSP service temporarily until a firmware update or patch addressing this authentication flaw is available from the vendor.

Implement network segmentation or firewall rules to limit exposure of the IP camera to untrusted networks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized RTSP control commands to be executed after a single successful authentication due to improper session parameter validation. This could lead to unauthorized access or control of the IP camera within a local network.

However, the vulnerability has a low CVSS score (2.3) and does not impact confidentiality or availability, only integrity to a limited extent.

There is no direct information provided about its impact on compliance with standards like GDPR or HIPAA.

Useful 0 Not Useful 0