Network video recorders from surveillance solutions provider NUUO and networking company Netgear suffer from vulnerabilities.
The vulnerabilities affect a web management interface developed by NUUO. Netgear also uses the same code. The list of network video recorders (NVRs) confirmed to be vulnerable includes NUUO NVRmini 2, NVRsolo, and Crystal, and Netgear ReadyNAS Surveillance.
Pedro Ribeiro of Agile Information Security discovered seven vulnerabilities.
The vulnerabilities are backdoors, hardcoded credentials, and issues attackers can leverage for arbitrary code and command execution.
“Although only the NVRmini 2, NVRsolo, Crystal and ReadyNAS Surveillance devices are known to be affected, it is likely that the same code is used in other NUUO devices or even other third party devices (the firmware is littered with references to other devices like NUUO Titan),” Ribeiro said in a post. “However, this has not been confirmed as it was not possible to access all NUUO and third party devices that might be using the same code.”
Two of the flaws have been described as input validation issues (CVE-2016-5674 and CVE-2016-5675), which allow unauthenticated, respectively authenticated, attackers to execute arbitrary code with root or administrative privileges.
Another vulnerability can end up exploited by an unauthenticated attacker to call a function responsible for several system commands and reset the administrator password. NUUO patched that vulnerability, tracked as CVE-2016-5676.
Ribeiro also found an information disclosure bug (CVE-2016-5677) that allows a remote, unauthenticated attacker to view details on system processes, available memory and filesystem status by accessing a hidden page with a hardcoded username and password.
The researchers also found hardcoded credentials in NUUO NVRmini 2 and NVRsolo firmware. While Ribeiro did not break the password hashes, an attacker who does crack them could log in to the affected devices with root privileges (CVE-2016-5678).
Two other vulnerabilities can end up exploited for executing arbitrary OS commands (CVE-2016-5679) and arbitrary code (CVE-2016-5680). The flaws can end up exploited locally by any user, but an attacker could also exploit them remotely.
Ribeiro has released proof-of-concept (PoC) code for each of the flaws and, in some cases, even Metasploit modules.
Ribeiro and the CERT Coordination Center (CERT/CC) have been trying to inform the vendors about the vulnerabilities since late February, but NUUO has been unresponsive and Netgear only confirmed receiving the vulnerability details.