There are vulnerabilities in NUUO’s Video Recorder Software that gives attackers access to video feeds and recordings, researchers said.
The remotely exploitable vulnerabilities allow attackers to execute code in NUUO-based IoT video surveillance systems, said researchers at Tenable Research.
The remote code execution vulnerability has been named Peekaboo. While NUUO finally released a patch, the vulnerability could reside in hundreds of products from third party vendors.
The first of two vulnerabilities found by Tenable Research is a critical unauthenticated stack buffer overflow, while the second one consists of a backdoor in leftover debug code.
Both vulnerabilities were evaluated and tested in the NVRMini2, NUUO’s lightweight and portable NVR device with NAS functionality, and are considered highly critical because they can provide attackers with full system access.
The attack vector for NUUO’s NVRMini2 NAS, and NVR is the web service which can be exploited remotely using the stack buffer overflow bug unveiled by Tenable Research.
NUUO’s video recording software is bundled with thousands of cameras from more than a 100 third-party vendors
Once an attacker has full access to the NVRMini2, they can view any camera feeds or video recordings accessible from the compromised device, with the bonus of having plain text access to credentials for all connected cameras.
The bigger issue is NUUO’s Video Recorder Software also ships as the control tool for more than 100 different third-party surveillance camera manufacturers, a fact which expands the threat scope of the vulnerability disclosed in Tenable Research’s report.
After 105 days of notice, NUUO released a patch.