Critical Heap Buffer Overflow in Sudo Plaguing Tyco Illustra Cameras

• Several models of Tyco Illustra cameras deployed globally are vulnerable to privilege elevation exploits.
• There are fixing upgrades available for all vulnerable models except for one that has reached EOL.
• Exploiting the flaw isn’t complicated and doesn’t require authentication, but presupposes physical access.

CISA has published an alert to inform users of Tyco Illustra cameras about CVE-2021-3156, a critical heap buffer overflow vulnerability on Sudo that could lead to a hacker obtaining administrator access to the underlying Linux OS. Successfully exploiting the flaw is simple as there’s not much complexity involved in the process, and the fact that the affected products are deployed in critical manufacturing fields across the globe is making the situation pretty bad.

The particular flow affects a wide range of products that use the Sudo program, all versions before 1.9.5p2, and this includes several Tyco camera models. Exploiting it requires local access to the devices, which somewhat alleviates the criticality, but it is open to unprivileged users who don’t need to authenticate in order to carry out the attack. Several Linux distributions have already published relevant advisories about this and updated their Sudo to prevent exploitation.

The vulnerable cameras carry the Tyco brand, but they are made by ‘Sensormatic Electronics,’ a subsidiary of Johnson Controls. The models that are affected by the flaw are the following:

• Pro Gen 3, All versions prior to 2.8.0
• Flex Gen 2, All versions prior to 1.9.4
• Pro 2, All versions
• Insight, All versions prior to 1.4.0

Upgrading to the versions indicated above resolves the problem. Unfortunately, all Pro 2 versions are vulnerable, and there will be no fix for the particular model as it has already reached its end of life and is no longer supported by the vendor. In addition to applying the updates, users are advised to restrict physical access to the device to authorized personnel only and ensure that the principles of “least privilege” are followed in the organization.

In general, when using surveillance systems in sensitive environments, following an insider threat prevention strategy is key. Perform frequent risk assessments, apply patches as soon as they come out, use data encryption and MFA wherever possible, actively monitor all access, lock server rooms, document all electronics in the premises, and define access zones with certain privilege tiers.