Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities
Informations
NameVU#667480First vendor Publication2016-09-13
VendorVU-CERTLast vendor Modification2016-09-22
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#667480

AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities

Original Release date: 13 Sep 2016 | Last revised: 22 Sep 2016

Overview

AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure.

Description

AVer Information EH6108H+ hybrid DVR is an IP security camera management system and streaming video recorder. Version X9.03.24.00.07l and possibly earlier are reported to contain multiple vulnerabilities.

CWE-798: Use of Hard-coded Credentials - CVE-2016-6535

AVer Information EH6108H+ reportedly contains two undocumented, hard-coded account credentials. Both accounts have root privileges and may be used to gain access via an undocumented telnet service that cannot be disabled through the web user interface and runs by default.

CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536

By guessing the handle parameter of the /setup page of the web interface, an unauthenticated attacker reportedly may be able to access restricted pages and alter DVR configurations or change user passwords.

CWE-200: Information Exposure - CVE-2016-6537

User credentials are reported to be stored and transmitted in an insecure manner. In the configuration page of the web interface, passwords are stored in base64-encoded strings. In client requests, credentials are listed in plain text in the cookie header.

For more information, refer to the researcher's disclosure.

Impact

A remote, unauthenticated attacker may be able to gain access with root privileges to completely compromise vulnerable devices.

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AVer InformationAffected16 May 201608 Sep 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal9.0E:F/RL:U/RC:UR
Environmental2.3CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/
  • https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-and-more
  • https://cwe.mitre.org/data/definitions/798.html
  • https://cwe.mitre.org/data/definitions/302.html
  • https://cwe.mitre.org/data/definitions/200.html

Credit

Thanks to Travis Lee for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-6535CVE-2016-6536CVE-2016-6537
  • Date Public:13 Sep 2016
  • Date First Published:13 Sep 2016
  • Date Last Updated:22 Sep 2016
  • Document Revision:15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/667480

CWE : Common Weakness Enumeration

%idName
33 %CWE-798Use of Hard-coded Credentials (CWE/SANS Top 25)
33 %CWE-264Permissions, Privileges, and Access Controls
33 %CWE-200Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware1
Os1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
DateInformations
2016-09-22 17:23:18
  • Multiple Updates
2016-09-20 09:26:09
  • Multiple Updates
2016-09-19 09:22:53
  • Multiple Updates
2016-09-13 21:23:36
  • First insertion