A critical vulnerability in software from a global vendor of video surveillance equipment puts the security of video feeds from over 100 camera brands and more than 2,500 camera models at risk.
Any rivals exploiting the security bug could take total control of the affected equipment, allowing them to monitor, alter or disable video surveillance footage.
The vulnerability was found in NVRMini2’s video management software by Jacob Baines, senior research engineer at cybersecurity company Tenable. He found an unauthenticated stack buffer overflow that leads to remote code execution.
The vulnerability dubbed as Peekaboo is now tracked as CVE-2018-1149 and received a critical severity score.
NVRMini2 is a portable network video recorder (NVR) that acts as a NAS (network attached storage) device which was created by NUUO, a company that offers it to partners under an OEM license or as a white-label.
NUUO products are used for web-based surveillance in various industries including retail, banking, transportation, education, government etc. So, it is difficult to find how many devices are impacted by this. According to information from NUUO, they have over 100,000 installations deployed worldwide.
In their blog post, Tenable states that “Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage,”
At present a patch is unavailable but the NVR manufacturer says that they are working on it. The administrators of the video surveillance equipment are advised to restrict access to the network with vulnerable devices to authorized users only.
Baines has developed a proof-of-concept code demonstrating how Peekaboo could be exploited. Tenable made a short video explaining the working of this vulnerability
A backdoor is also present
Tenable has found a second vulnerability (CVE-2018-1150) in NUUO’s NVR devices, which is a backdoor that enables listing of all user accounts on the system and changing their passwords.
But it is not possible to take advantage of this vulnerability remotely, the CVE-2018-1150 vulnerability can be exploited only with a presence on the local network.
It is not known how the backdoor got in the firmware, it may be due to the leftover code or it could be planted by someone with malicious intent.