Cybersecurity resources

Diego Giubertoni from Nozomi Networks Inc. has found multiple flaws (CVSSv3.1: High - CVE-2023-21407, CVE-2023-21408, CVE-2023-21409, CVE-2023-21410, CVE-2023-21411, CVE-2023-21412) in the AXIS License Plate Verifier ACAP application. Axis has released a patched version of AXIS License Plate Verifier (2.8.4). Pre-installed versions of AXIS License Plate Verifier for kit cameras are updated on the AXIS OS 10.12 LTS and 11.5 track.

Knud from Fraktal.fi has found a flaw in some Axis Network Door Controllers and Axis Network Intercoms when communicating over OSDP (CVE-2023-21405), highlighting that the OSDP message parser crashes the pacsiod process, causing a temporary unavailability of the door-controlling functionalities. Axis has released a patched version for affected devices that increases the robustness of the OSDP message parser and patches the highlighted flaw.

Ariel Harush and Roy Hodir from OTORIO have found a flaw in the AXIS A1001 when communicating over OSDP (CVE-2023-21406). A heap-based buffer overflow was found in the pacsiod process which is handling the OSDP communication allowing to write outside of the allocated buffer. Axis has released a patched version for affected devices that increases the robustness of the OSDP message parser and patches the highlighted flaw.

Alexander Pick, member of the AXIS OS Bug Bounty Program, has found a flaw in AXIS OS 11.0.X - 11.3.x (CVE-2023-21404) that does not follow Axis secure development best practices. A static RSA key was used to encrypt Axis-specific source code in legacy LUA-components.

Statement from Axis Communications on the discovered BOA webserver vulnerabilities (CVE-2017-9833 and CVE-2021-33558). Axis has been using the BOA webserver in its legacy products from firmware 5.65 and lower. However, these products are not affected as the required 3rd party components[1] for exploiting the vulnerabilities are not used in Axis products. In addition to that, further protection is provided by performing input validation on API-interfaces. Newer Axis products with firmware 5.70 and higher utilize the Apache webserver and the BOA webserver was therefore removed.

[1] backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, config.js and /cgi-bin/wapopen are not used

Statement from Axis Communications on the uClibc DNS vulnerability discovered by Nozomi Networks (CVE-2021-43523, CVE-2022-30295). Axis has not incorporated the uClibc package since 2010 in Axis products, software and services. To date, no active selling or discontinued Axis product that is still under hardware or software support is therefore affected by this vulnerability except for the AXIS P7701 Video Decoder. We are currently awaiting the availability of an upstream patch to be available to judge if we can provide a service release that patches this vulnerability.

Axis acknowledges the importance and hard work performed by independent researchers and companies and therefore lists outstanding contributors in our new Product Security Hall of Fame.

An updated version of the AXIS OS Hardening Guide as well as a all-new hardening guide for AXIS Camera Station System has been released.

The Axis Security Team has updated the vulnerability management policy for products, software and services aiming to provide a more detailed and comprehensive vulnerability management process. The Axis Security Notification Service will be used from now on to inform on regular bases not only about Axis vulnerabilities but also 3rd party open-source components such as Apache, OpenSSL and others used in Axis products, software and services.