NVR Software Flaw Threatens Thousands of Devices
A network video recorder (NVR) application used by organizations from around the world to control surveillance cameras contains a critical vulnerability that could expose devices to hacking.
The flaw was found by researchers from security firm Tenable in NVR software developed by NUUO, a global manufacturer of video surveillance solutions headquartered in Taiwan. NUUO uses the software in its hardware products but also licenses it to other third-party technology vendors and integrators.
The vulnerability, tracked as CVE-2018-1149 and dubbed Peekaboo, is a buffer overflow that can be triggered through the software’s web-based interface. The flaw was tested and confirmed in NVRMini2, one of NUUO’s NVR-NAS combo devices that’s capable of recording and controlling video feeds from multiple surveillance cameras.
“During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function,” the researchers said in a blog post. “This vulnerability allows for remote code execution with ‘root’ or administrator privileges.”
The researchers also found a second vulnerability in the form of a backdoor that gets activated if a file called /tmp/moses is present on the device filesystem. The backdoor allows potential attackers to list all user accounts and change their passwords, which could provide full access to camera feeds and recordings.
“We weren’t able to determine if it’s leftover development code or if it was maliciously added,” the researchers said. “To be able to activate and utilize the backdoor, an attacker would need to be able to create the file ‘/tmp/moses,’ so the attack would require some form of access or need to be combined with another exploit. Its existence and lack of obfuscation in the code is the real mystery.”
It’s estimated that NUUO’s devices are used as part of more than 100,000 video surveillance deployments worldwide, in industries such as retail, transportation, education, government and banking. Since each NVR device can be used to control up to 16 cameras, the number of indirectly affected cameras is most likely in the hundreds of thousands.
According to Tenable, NUUO communicated that a patch is in development, but it hadn’t been released by the time the security firm published its advisory Monday. Users are advised to restrict network access to potentially vulnerable devices and ensure that only authorized and legitimate users can access them.
NVRs and video surveillance cameras have increasingly been targeted by hackers in recent years, particularly by IoT botnet operators. These devices were a large component of botnets such as Mirai and GafGyt.
Honeywell Patches Privilege Escalation Flaw in Handheld Mobile Devices
Google’s Android team found a serious vulnerability in rugged mobile computers from Honeywell that run Android and are used in various industries including manufacturing, energy and health care.
The vulnerability affects 17 devices from the CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51 and EDA series that run Android 4.4, 6.0, 7.1 or 8.1. Because they are used to interact with industrial equipment, Honeywell informed the U.S. government’s ICS-CERT about the flaw.
“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges,” ICS-CERT said in an advisory. “This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.”
The advisory lists the patches available for each affected device and Honeywell advises organizations to whitelist which applications are allowed on their devices. This would limit the risk from potentially malicious applications that could exploit vulnerabilities such as this one.
