Key Information Vulnerability Title: Selea Targa IP OCR-ANPR Camera Unauthenticated SSRF Advisory ID: ZSL-2021-5617 Type: Local/Remote Impact: Exposure of System Information Risk: 3/5 Release Date: 21.01.2021 Summary The IP camera features Optical Character Recognition (OCR) software for Automatic Number Plate Recognition (ANPR), and is equipped with an ADR system capable of reading Hazard Identification Numbers (H-IN, also known as Kennel Code) and UN numbers from any vehicle captured in free-flow mode. TARGA excels in accurately reading license plates of numerous moving vehicles under high-speed conditions. Its built-in OCR software operates as an independent system without requiring a computer, thus providing autonomy to the device even when the connection between the camera and the control center is interrupted. Description An unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists within the Selea ANPR camera. The application process supports a POST JSON method “/api/set” to construct image requests for IP notifications. Due to lack of parameter validation, an attacker can specify an external domain and force the application to send HTTP requests to any target host. This can be exploited by internal attackers to bypass firewalls and perform service and network enumeration by leveraging the affected application to access the internal network. Vendor Selea s.r.l. - Affected Versions Model: iZero Targa 512 Targa 504 Targa SmartIce Targa 604 TKM Targa 605 Targa 710 (INOX) Targa 704 Targa 704 ILS Firmware versions: - BLD2011061113005214 - BLD201006304170801 - BLD200906304170801 - BLD20090303143345 - BLD2019118145435 - BLD20191202180140 - CPS_4.0.13(201005) - 3.1.00(201005) - 2.00E(201206) - 2.00B(201112) Test Environment GNU/Linux x86_64 3.10.53 (armv?) PHP 5.6.22 selea_httpd HttpServer v1.1 SeleiaCPSHttpServer v1.1 Vendor Status [07.11.2020] Vulnerability discovered. [09.11.2020] Vendor contacted. [09.11.2020] Vendor responded requesting clarification. [09.11.2020] Inquired with vendor about security contact and explained security submission and risk impact. [10.11.2020] Received vendor response. [11.11.2020] Sent detailed information to vendor (high severity, requested PGP). [14.11.2020] Inquired with vendor for status update. [18.11.2020] Vendor confirmed vulnerability and fixed most of the issues described in new camera firmware and CarPlateReader software versions. [19.11.2020] Responded to vendor. [06.12.2020] Inquired with vendor for status update. [06.12.2020] Vendor responded. [09.12.2020] Inquired with vendor for status update. [17.01.2021] Inquired with vendor for status update. [20.01.2021] Vendor responded. [21.01.2021] Public security advisory released. PoC seleaanpr_ssrf.txt Acknowledgments Vulnerability discovered by Gjoko Krstic - References 1. 2. 3. 4.