Hangzhou Xiongmai Technology Co.,LTD.-Memory overflow vulnerability of some XM devices

Memory overflow vulnerability of some XM devices

2022-02-22 12:00:00

No：XM-SN-XMSRC2201

CVE-2022-26259

Date of the first release：2022-02-22

Abstract:

Some devices have a memory overflow vulnerability, which will cause the device to restart，XM have fix this vulnerability on the new devices and new firmware .

Product models and version involved and the fixed version

Product Models	Affected version	Fixed version
NBD80X16S-KL NBD80X09S-KL NBD80X08S-KL NBD80X09RA-KL	YK_HZXM_NBD80X16S-KL_V4.03. R11.Nat.dss.OnvifC.20210727.bin	YK_HZXM_NBD80X16S-KL_V4.03.R11.Nat.dss.OnvifC.20220217.bin
AHB80X04R-MH AHB80X04R-MH-V2 AHB80X04-R-MH-V3	YK_HZXM_AHB80X04R-MH_V4.03.R11.Nat.dss.OnvifC.20210729.bin	YK_HZXM_AHB80X04R-MH_V4.03.R11.Nat.dss.OnvifC.20220212.bin
AHB80N16T-GS	YK_HZXM_AHB80N16T-GS_V4.03.R11.7601.Nat.OnvifC.20211223.bin	YK_HZXM_AHB80N16T-GS_V4.03.R11.7601.Nat.OnvifC.20220210.bin
AHB80N32F4-LME	YK_HZXM_AHB80N32F-LME_V4.03.R11.7601.Nat.OnvifC.20211228.bin	YK_HZXM_AHB80N32F-LME_V4.03.R11.7601.Nat.OnvifC.20220210.bin
NBD90S0VT-QW	YK_HZXM_NBD90S08VT-QW_V4.03.R11.713g.Nat.OnvifC.2021.bin	YK_HZXM_NBD90S08VT-QW_V4.03.R11.713g.Nat.OnvifC.20220219.bin

Vulnerability score details

The vulnerability has been graded by cvssv3 scoring system

（http://www.first.org/cvss/specification-document）

Basic score: 7.8（AV:L / AC：L / PR：L / UI：N / S：U / C：H / I：H / A：H）

Get firmware version

Contact the XM technical support to get the device firmware download the firmware from the website（website ：https://baike.xm030.cn）

Resources

This vulnerability was disclosed by Mr. Chris leech

We are very grateful to Mr. Chris leech for helping us disclose this vulnerability, actively communicating and guiding with us, and discussing this vulnerability and solutions with us

Thanks again to Mr. Chris leech for his dedication !

Revision history

2022-02-22 V1.0 (Initial version)