Firmware used in up to 800k cameras is vulnerable to attacks thanks to a buffer overflow vulnerability
Between 180k and 800k CCTV cameras are vulnerable to a zero-day bug that would allow attackers to access surveillance systems, spy and manipulate video transmissions, or install malware, as reported by specialists in ethical hacking.
According to a security report issued on Monday, the vulnerability has been rated as critical and is linked to the firmware possibly used in one out of 100 different cameras running the affected software. NUUO, the Taiwan-based company that manufactures the compromised firmware, is expected to issue an update patch for the flaw in the next few hours. The company works with more than 100 different partners, including Sony, Cisco Systems, D-Link and Panasonic. It is unclear how many NUUO partners might have been working with the vulnerable firmware.
Vulnerabilities (CVE-2018-1149 – CVE-2018-1150), named Peekaboo by the ethical hacking experts in charge of the research, are linked to the web server software of NUUO NVRMini2 devices.
According to the researchers, “once it is exploited, Peekaboo would provide cybercriminals access to the control management system, exposing the credentials of all connected surveillance cameras. Using root access on the NVRMINI2 device, cybercriminals could interrupt live broadcasts and alter security recordings”.
Last year, Reaper, a variant of Mirai botnet, also attacked the NUUO NVR devices. These recently revealed vulnerabilities also leave the cameras open to similar botnets attacks.
CVE-2018-1149 is the disclosed zero day vulnerability. Using tools like Shodan, attackers can find a compromised device, then, they start to trigger a buffer overflow attack that allows them to access the CGI of the camera’s web server, which acts as a gateway to a link between a remote user and the web server. According to the researchers, the attack involves delivering a cookie file too large for the CGI identifier. The CGI does not validate the user’s input correctly, allowing them to access the web server portion of the camera.
The second flaw revealed (CVE-2018-1150) leverages a backdoor functionality on the NUUO NVRMINI2 device web server, allowing an unauthenticated attacker to change a password for any registered user, except for the sys admin.
The patch issued by NUUO covers the 3.9.1 and later software versions, specialists in ethical hacking from the International Institute of Cyber Security point out that the compromised devices must be manually updated to ensure the correct operation of the patch.