Resources
Blog
February Vuln of the Month: CVE-2022-37061

February Vuln of the Month: CVE-2022-37061

Feb 15, 2023
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

It’s the post-Valentine’s Day haze! And to express our appreciation for you, we thought we’d dispense with the standard flowers-and-chocolates CVE treatment and go with something really special—a vuln so unique it glows in the dark. It’s a remote command injection vulnerability in FLIR AX8 thermal imaging cameras, which provide continuous temperature monitoring and alarming to protect electronic and mechanical equipment.  

For February’s Vuln of the Month, then, we’re giving you CVE-2022-37061. This vulnerability exists in FLIR AX8 cameras up to and including version 1.46.16. A successful exploit can allow attackers to execute arbitrary commands—which could lead to compromised thermal monitoring and possible outages, service interruptions, and equipment failure.  

Our research shows that CVE-2022-37061 meets many of the criteria we look for to be exploited, including:

  • Access complexity: Low 
  • Potential attack surface: Limited 
  • Exploitable remotely: Yes 
  • Authentication/privilege requirements: None 
  • Potential impact on availability: High 
  • Exploit code published: Yes 
  • Active exploits observed: Yes 

CVE-2022-37061 earns a Kenna Risk Score of 94. Just 0.22% of CVEs earn a higher score. CVSS 3.X scores it at 9.8 or Critical (we would agree). For once, CVSS and the Kenna Risk Score are in alignment. It doesn’t happen often, but when it does, we call it out. 

Why CVE-2022-37061 matters 

The FLIR AX8 has been on the market since 2014, protecting data centers, power plants, manufacturing facilities, storage facilities, engine rooms, maritime equipment, and more. The unit combines sensitive infrared temperature sensors with camera technology to provide visual monitoring of thermal conditions with equipment, setting off alarms when temperatures fall outside set parameters.  

CVE-2022-37061 is uniquely risky because this camera is vital to ensuring that physical systems and equipment continue to operate safely and securely—and successful exploits can lead to the FLIR AX8 being corrupted and possibly disabled. In many cases, these are systems that human beings rely on for their own comfort and safety. For instance, the cameras can alert operators to equipment that’s overheating or if fire breaks out. FLIR even found a new market for the product in recent years: yacht owners, who have suffered an increase in fires due to lithium ion battery explosions. At around $1,000, it’s not a cheap gadget, but neither are the things it’s designed to protect. 

It’s also a risk because IoT equipment (and operational technology) often isn’t managed as carefully or prioritized as highly as computer systems and applications. That itself is a potentially serious risk to certain operations. Which is why affected organizations should remediate CVE-2022-37061 ASAP.  

Special VOTM Movie Scene 

To illustrate the point even further, we’ve cooked up a special Vuln of the Month movie scene just for you. (Consider it a post-Valentine’s Day gift!) 

EXTERIOR, POWER PLANT REAR ENTRANCE, NIGHT
Two men in black sweaters and ski hats huddle over a laptop inside an unmarked van. 

BAD GUY 1 
“Okay, I’m on the network! Let me override the FLIR cameras real quick.”  

Seconds pass…. 

BAD GUY 1 (Panicked)
“It’s not working! I can’t get control of those cameras!” 

BAD GUY 2
“What do you mean it’s not working?” 

BAD GUY 1
“They must have patched CVE-2022-37061!” 

BAD GUY 2
“You told us no one knew about that!” 

BAD GUY 1
“Gah! They must use Kenna, the leader in risk-based vulnerability management…and they probably read that Vuln of the Month blog.” 

BAD GUY 2 (Shaking fist at sky)
“Kennnaaaaaa!!” 

FBI agents bust through the rear doors and arrest the hackers.  

Bottom line 

A remotely exploitable, low complexity vuln that requires no authentication, can lead to serious availability impacts, and has proof of concept code published with active exploits…if your organization uses these cameras, it’s time to add CVE-2022-37061 to your fix list. 

Mitigation status 

While we’ve been unable to find online remediation guidelines or a relevant vendor advisory from Teledyne FLIR, we contacted the vendor directly and received a link to a firmware patch that their support staff says will resolve the vulnerability: https://support.flir.com/Partners/Assets/Ax8/AX8_swcomb_v1.52.16.zip  

Once downloaded and unpacked, the ZIP file includes directions on how to update FLIR AX8 firmware. Alternatively, you can reach FLIR tech support by phone.  

Watch this space for regular Vuln of the Month spotlights, which appear on the second Tuesday of each month. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.    

Read the Latest Content

Industry

5 Times a Vulnerability Broke Your Heart

During this month of love, we’re looking back at five of the most notorious vulnerabilities whose havoc left a trail of tears.
READ MORE
Trending Vulns

January Vuln of the Month: CVE-2022-44698

A Windows vulnerability that has the potential to cause headaches for Microsoft shops that aren’t up to date on their patches.
READ MORE
Trending Vulns

DECEMBER Vuln of the Month: CVE-2022-41128

A serious Windows vulnerability is December’s Vuln of the Month. Ready why this RCE scripting vuln can do a lot of damage.
READ MORE
FacebookLinkedInTwitterYouTube

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.