Tenable Research Advisory: Peekaboo Critical Vulnerability In NUUO Network Video Recorder (Sep 17, 2018)
Researchers at Tenable Research discovered two vulnerabilities in monitoring and surveillance company NUUO’s “Network Video Recorder” software in the “NVRMini2” network-connected, video recording device. The two vulnerabilities have been registered as “CVE-2018-1149” and “CVE-2018-1150” and are linked to the third-party vendor software installed on the device. The first vulnerability, CVE-2018-1149, is an unauthenticated stack buffer overflow which allows for remote code execution with root/administrator privileges. This vulnerability could then be leveraged to take over the NVRMini2 device and manipulate the connected cameras. The second vulnerability, CVE-2018-1150, is a backdoor that is believed to be caused by leftover debug code, and allows the list of all user accounts on a system to be accessible with their passwords capable of being manipulated. Changing the passwords could then allow a threat actor access to that account with their own passcode, and then sign on as a legitimate user to view camera feeds or CCTV footage and recordings as well as delete a camera from a system completely. These vulnerabilities could allow threat actors to tamper with security footage and live feeds. A patch is currently in development for both vulnerabilities.
Recommendation: As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow or can be exploited by malicious actors.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.