Over 130,000 vulnerable products available online. AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm that spent more than a year trying to inform the company about 14 security bugs affecting the firmware of all its products.
Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation.
AVTECH fails to provide firmware updates
According to a long list of security flaws, the bugs found by Search-Lab researcher Gergely Eberhardt allow attackers to take over AVTECH products from a remote location, via the Internet.
As such, the researcher is issuing a public warning, urging sysadmins to change the default admin password for AVTECH equipment in order to avoid having these devices added to a DDoS botnet, like it previously happened with devices manufactured by companies such as Dahua, AVer, and TVT.
But changing the admin password is not enough, the researcher says. There are also other security flaws that allow attackers to bypass authentication procedures.
In order to safeguard their equipment, Eberhardt recommends companies to block access from the Internet to the devices’ configuration panel, and limit access to this section only to internal IPs or via selected IP ranges.
Bugs lead to total device takeover
The full list of vulnerabilities the Search-Lab researcher found is available below. Eberhardt says that “every Avtech device (IP camera, NVR, DVR) and firmware version” is affected.
1) Plaintext storage of administrative password
2) Missing CSRF protection
3) Unauthenticated information disclosure under the /cgi-bin/nobody folder
4) Unauthenticated SSRF in DVR devices
5) Unauthenticated command injection in DVR devices
6) Authentication bypass if the URL contains the ".cab" string
7) Authentication bypass via the the /cgi-bin/nobody folder
8) Unauthenticated file download from web root
9) Login captcha bypass via the "login=quick" parameter
10) Login captcha bypass by manually setting specific cookies
11) Authenticated command injection in CloudSetup.cgi
12) Authenticated command injection in adcommand.cgi
13) Authenticated command injection in PwdGrp.cgi
14) HTTPS used without certificate verification
“We note that the above vulnerabilities were found within a short period of time without a systematic approach,” Eberhardt says. “Based on the vulnerability types we found and the overall code quality, the devices should contain much more problems.”
Over 130,000 AVTECH products available online
Search-Lab says their researcher is not the only one who spotted these issues. Currently, the term “AVTECH” is the second most popular search term on Shodan, a search engine for discovering Internet-connected equipment, often used by hackers to find their next targets.
Eberhardt says that, at the time of writing, Shodan was returning more than 130,000 search results for the AVTECH term.
A list of confirmed affected firmware versions is available here, proof of concept exploitation code is available on GitHub, and an exploitation video is available below.