A severe flaw in NUUO software could permit hackers to distantly check video feeds and manipulate with the recordings of thousands of security cameras, Tenable discloses. The flaw, which Tenable analysts named as Peekaboo, unlikely effects over hundreds of brands and about 2,500 various framework of cameras that are incorporated with NUUO’s software. Supplying access to customers’ usernames and passwords, the bug could be victimized to influence surveillance cameras and make them offline.

NUUO’s devices and software are broadly practiced for web-based video supervising and security in different industries, containing retail, government, education, banking, and transportation system. The flaw was revealed in NVRMini 2, a network-connected storage network and device video recorder. The bug, an unauthenticated pile buffer stream, could advantage to distant code implementation. Trailed as CVE-2018-1149, it features a CVSSv2 Base score of 10.0.

“Once exploited, Peekaboo would give cybercriminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage,” Tenable says.

The flaw was identified in NVRMini 2 firmware versions antiquated than 3.9.0. Despite being openly disclosed, the vulnerability stays unfixed, though a patch is in the functions.

“In the meantime, users are urged to control and restrict access to their NUUO NVRMini2 deployments and limit this to legitimate users from trusted networks only. Owners of devices connected directly to the internet are especially at risk, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet until a patch is released,” Tenable says.

The problem dwells in the practice of an publicly sourced web server with assistance for executable binaries via the Common Gateway Interface protocol. One of the Common Gateway Interface  binaries, ‘cgi_system’, manages different commands and activities that demand the customer to be authenticated, however the cookie factor’s session ID size is not inspected throughout authentication, hence permitting for a stack buffer stream in the sprintf utility.

The flaw can effect in distant code implementation with “root” or administrator advantages, Tenable’s security analysts detected. Proof-of-concept code to exhibit the flaw has been issued on GitHub. Additionally to the security vulnerability, Tenable detected a secret access in remaining debug code. Trailed as CVE-2018-1150, the flaw has a CVSSv2 Base Score of 4.0.

The secret access is authorized if a file title /tmp/moses survives, the analysts explicate. The secret access can be practiced to list entire accounts of the user on the system and also permits the occurrence of any password of the account. A hacker maltreating the vulnerability could not merely sight the security camera feeds and CCTV recordings, however could also erase a camera from the system once and for all.

“This is a very odd artifact. We weren’t able to determine if it’s leftover development code or if it was maliciously added. To be able to activate and utilize the backdoor, an attacker would need to be able to create the file “/tmp/moses,” so the attack would require some form of access or need to be combined with another exploit. Its existence and lack of obfuscation in the code is the real mystery,” Tenable says.

Leave a Reply

Your email address will not be published. Required fields are marked *