Products Affected

• EOS Series (DSLR and Mirrorless)
• PowerShot SX70HS
• PowerShot SX740HS
• PowerShot G5XMarkII

Multiple Canon digital cameras (EOS series and PowerShot series) contain multiple vulnerabilities listed below.

• Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing SendObjectInfo command (CWE-120) - CVE-2019-5994
• Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing notifybtstatus command (CWE-120) - CVE-2019-5998
• Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing blerequest command (CWE-120) - CVE-2019-5999
• Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing sendhostinfo command (CWE-755) - CVE-2019-6000
• Buffer overflow vulnerability in PTP (Picture Transfer Protocol) when processing setadapterbatteryreport command (CWE-755) - CVE-2019-6001
• Missing authorization vulnerability which may result in unauthorized firmware update (CWE-862) - CVE-2019-5995

Impact

• A specially crafted PTP command may cause buffer overflow, which may result in the affected digital camera being unresponsive or arbitrary code being executed by a remote attacker - CVE-2019-5994, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001
• Specially crafted firmware by a remote attacker or unofficial firmware update may be applied without the user's consent since the user confirmation process before applying firmware update is not implemented in the software - CVE-2019-5995

Thing that we see here can be first step on killing Canon hacking activities, as some data suggest that this is exact things used to dump firmware by the team for years.