VMC3040S
Arlo is aware of a security vulnerability in the Arlo Q Plus device. This is caused by a security misconfiguration that allowed attackers with physical access to the device to escalate privileges. This vulnerability was promptly resolved by an automatic firmware update.
This was not a security breach and no videos or personal information were accessed as a result of this vulnerability. As the cybersecurity landscape continually and rapidly evolves, Arlo remains committed and on the forefront of collaborating with security researchers like Bugcrowd and Trend Micro to proactively identify opportunities to further enhance the security of Arlo’s platform.
Security Misconfiguration
The specific flaw exists within the SSH service. An attacker with physical access to the camera can boot into a special operation mode where hard-coded credentials are accepted for SSH authentication and can leverage this vulnerability to escalate privileges to root.
This vulnerability affects the following products:
• VMC3040S
The following firmware update was released by Arlo to resolve this vulnerability:
VMC3040S: 1.9.0.8_199_3707910
Note: For all Arlo products, firmware updates are sent to your devices automatically. You do not need to manually update your firmware
Disclaimer:
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Arlo reserves the right to change or update this document at any time. Arlo expects to update this document as new information becomes available.
Acknowledgements
Team FLASHBACK: Pedro Ribeiro (@pedrib1337 | pedrib@gmail.com) and Radek Domanski (@RabbitPro) working with Trend Micro Zero Day Initiative.
Contact
We appreciate and value having security concerns brought to our attention. Arlo constantly monitors for both known and unknown threats. Being proactive rather than reactive to emerging security issues is fundamental for product support at Arlo.
To report a security vulnerability, visit https://www.arlo.com/en-us/about/security/default.aspx.
Last Updated:06/10/2021
|
Article ID: 000062592