Overview
NUUO NVRmini 2, NVRsolo, Crystal, and Netgear ReadyNAS Surveillance products have web management interfaces containing multiple vulnerabilities that can be leveraged to gain complete control of affected devices.
Description
NUUO NVRmini 2, NVRsolo, and Crystal, and Netgear ReadyNAS Surveillance are Network Video Recording (NVR) systems with Network Attached Storage (NAS) functionality for managing IP cameras. The web management interfaces of these products are reported to contain multiple vulnerabilities. Note that additional products not identified here may be vulnerable if they use the same web interface; firmware versions earlier than those specified below may also be vulnerable. CWE-20: Improper Input Validation - CVE-2016-5674
CWE-285: Improper Authorization - CVE-2016-5676 The cgi_system binary can be called directly and given commands by anyone capable of accessing the web interface. To reset the administrator account password, for example, an unauthenticated attacker can make a request to: http://<IP>/cgi-bin/cgi_system?cmd=loaddefconfig CVE-2016-5676 has been confirmed by the researcher to affect NUUO NVRmini 2 and NVRsolo versions 1.7.5 to unknown (versions 2.2.1 and 3.0.0 require authentication), and ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1. CWE-200: Information Exposure - CVE-2016-5677 Potentially sensitive system information is exposed by the hidden page, __nvr_status___.php. The page is accessible to all users via page-specific hard-coded credentials, nuuoeng:qwe23622260. CVE-2016-5677 has been confirmed by the researcher to affect:
CWE-798: Use of Hard-Coded Credentials - CVE-2016-5678 According to the researcher, NUUO NVRmini 2 and NVRsolo versions 1.0.0 to 3.0.0 contain hard-coded credentials. An attacker with knowledge of these credentials may log into affected devices with root privileges. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2016-5679 The sn parameter of the transfer_license command in cgi_main does not properly validate user-provided input. An authenticated attacker may make a specially crafted request to execute arbitrary commands: http://<IP>/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=";<command>;# According to the researcher, NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance version 1.1.2 are affected. Note that this vulnerability can be exploited by any user locally, but requires an administrator account for remote exploitation. CWE-121: Stack-based Buffer Overflow - CVE-2016-5680 The sn parameter of the transfer_license command in cgi_main also contains a stack-based buffer overflow vulnerability. An authenticated attacker may send a specially crafted request to overflow the buffer and execute arbitrary code: http://<IP>/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=<payload> NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance x86 version 1.1.2 is affected, according to the researcher. CVE-2016-5680 can be exploited by any user locally, but requires an administrator account for remote exploitation. For more information about these vulnerabilities, refer to Pedro Ribeiro's disclosure. |
Impact
A remote, unauthenticated attacker can make specially crafted requests to execute arbitrary commands as root. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. Users should consider the following workarounds. |
Restrict access |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 9 | E:F/RL:U/RC:UR |
| Environmental | 7.0 | CDP:LM/TD:M/CR:L/IR:H/AR:H |
References
- http://www.nuuo.com/ProductNode.php?stid=0001&node=2
- http://www.nuuo.com/ProductNode.php?stid=0002&node=13
- http://www.nuuo.com/ProductNode.php?stid=0001&node=14
- https://www.netgear.com/business/products/storage/readynas/readynas-surveillance.aspx
- https://cwe.mitre.org/data/definitions/20.html
- https://cwe.mitre.org/data/definitions/285.html
- https://cwe.mitre.org/data/definitions/200.html
- https://cwe.mitre.org/data/definitions/798.html
- https://cwe.mitre.org/data/definitions/78.html
- https://cwe.mitre.org/data/definitions/121.html
- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt
Acknowledgements
Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting these vulnerabilities.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2016-5674, CVE-2016-5675, CVE-2016-5676, CVE-2016-5677, CVE-2016-5678, CVE-2016-5679, CVE-2016-5680 |
| Date Public: | 2016-08-04 |
| Date First Published: | 2016-08-04 |
| Date Last Updated: | 2016-08-05 20:09 UTC |
| Document Revision: | 38 |