CVE-2020-27542

Name of the Vulnerable Software and Affected Versions: Rostelecom CS-C2SHW version 5.0.082.1

Description: The issue affects the camera's configuration process via QR code, which includes network settings. The static IP configuration from the QR code is copied to the file /config/ip-static, and after a reboot, this data is inserted into a bash command without proper escaping, making bash command injection possible. The camera does not parse QR codes if it has already been successfully configured, and it always reboots after a successful configuration via QR code.

Recommendations: For version 5.0.082.1, as a temporary workaround, consider restricting the use of QR code configuration to minimize the risk of exploitation. Avoid using the QR code configuration feature until a patch is available.