Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title NUUO and Netgear Network Video Recorder (NVR) products web interfaces contain multiple vulnerabilities
Informations
NameVU#856152First vendor Publication2016-08-04
VendorVU-CERTLast vendor Modification2016-08-05
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#856152

NUUO and Netgear Network Video Recorder (NVR) products web interfaces contain multiple vulnerabilities

Original Release date: 04 Aug 2016 | Last revised: 05 Aug 2016

Overview

NUUO NVRmini 2, NVRsolo, Crystal, and Netgear ReadyNAS Surveillance products have web management interfaces containing multiple vulnerabilities that can be leveraged to gain complete control of affected devices.

Description

NUUO NVRmini 2, NVRsolo, and Crystal, and Netgear ReadyNAS Surveillance are Network Video Recording (NVR) systems with Network Attached Storage (NAS) functionality for managing IP cameras. The web management interfaces of these products are reported to contain multiple vulnerabilities. Note that additional products not identified here may be vulnerable if they use the same web interface; firmware versions earlier than those specified below may also be vulnerable.

CWE-20: Improper Input Validation - CVE-2016-5674

The web management interfaces of affected devices contains a hidden page, __debugging_center_utils__.php, that fails to properly validate the log parameter and passes it as input to the PHP system() function. An unauthenticated attacker may make a specially crafted request to execute arbitrary code as root:

http:///__debugging_center_utils___.php?log=something%3b

CVE-2016-5674 has been confirmed by the researcher to affect the NUUO NVRmini 2 and NVRsolo, versions 1.7.5 to 3.0.0, and the ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1. The CVSS score below describes CVE-2016-5674.

CWE-20: Improper Input Validation - CVE-2016-5675

The handle_daylightsaving.php page does not sanitise the NTPServer parameter, which is processed by the PHP system() function. Authenticated attackers may leverage this vulnerability to execute arbitrary code as root:

http:///handle_daylightsaving.php?act=update&NTPServer=something%3b

CVE-2016-5675 has been confirmed by the researcher to affect:

  • NUUO NVRmini 2, versions 1.7.5 to 3.0.0
  • NUUO NVRsolo, versions 1.0.0 to 3.0.0
  • NUUO Crystal, versions 2.2.1 to 3.2.0
  • ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1

CWE-285: Improper Authorization - CVE-2016-5676

The cgi_system binary can be called directly and given commands by anyone capable of accessing the web interface. To reset the administrator account password, for example, an unauthenticated attacker can make a request to:

http:///cgi-bin/cgi_system?cmd=loaddefconfig

CVE-2016-5676 has been confirmed by the researcher to affect NUUO NVRmini 2 and NVRsolo versions 1.7.5 to unknown (versions 2.2.1 and 3.0.0 require authentication), and ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1.

CWE-200: Information Exposure - CVE-2016-5677

Potentially sensitive system information is exposed by the hidden page, __nvr_status___.php. The page is accessible to all users via page-specific hard-coded credentials, nuuoeng:qwe23622260.

CVE-2016-5677 has been confirmed by the researcher to affect:
  • NUUO NVRmini 2, versions 1.7.5 to 3.0.0
  • NUUO NVRsolo, versions 1.0.0 to 3.0.0
  • ReadyNAS Surveillance, both x86 and ARM versions 1.1.1 to v1.4.1

CWE-798: Use of Hard-Coded Credentials - CVE-2016-5678

According to the researcher, NUUO NVRmini 2 and NVRsolo versions 1.0.0 to 3.0.0 contain hard-coded credentials. An attacker with knowledge of these credentials may log into affected devices with root privileges.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2016-5679

The sn parameter of the transfer_license command in cgi_main does not properly validate user-provided input. An authenticated attacker may make a specially crafted request to execute arbitrary commands:

http:///cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=";;#

According to the researcher, NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance version 1.1.2 are affected. Note that this vulnerability can be exploited by any user locally, but requires an administrator account for remote exploitation.

CWE-121: Stack-based Buffer Overflow - CVE-2016-5680

The sn parameter of the transfer_license command in cgi_main also contains a stack-based buffer overflow vulnerability. An authenticated attacker may send a specially crafted request to overflow the buffer and execute arbitrary code:

http:///cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=

NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance x86 version 1.1.2 is affected, according to the researcher. CVE-2016-5680 can be exploited by any user locally, but requires an administrator account for remote exploitation.

For more information about these vulnerabilities, refer to Pedro Ribeiro's disclosure.

Impact

A remote, unauthenticated attacker can make specially crafted requests to execute arbitrary commands as root.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Users should consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Netgear, Inc.Affected13 Jun 201602 Aug 2016
NUUOAffected03 Mar 201602 Aug 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal9.0E:F/RL:U/RC:UR
Environmental7.0CDP:LM/TD:M/CR:L/IR:H/AR:H

References

  • http://www.nuuo.com/ProductNode.php?stid=0001&node=2
  • http://www.nuuo.com/ProductNode.php?stid=0002&node=13
  • http://www.nuuo.com/ProductNode.php?stid=0001&node=14
  • https://www.netgear.com/business/products/storage/readynas/readynas-surveillance.aspx
  • https://cwe.mitre.org/data/definitions/20.html
  • https://cwe.mitre.org/data/definitions/285.html
  • https://cwe.mitre.org/data/definitions/200.html
  • https://cwe.mitre.org/data/definitions/798.html
  • https://cwe.mitre.org/data/definitions/78.html
  • https://cwe.mitre.org/data/definitions/121.html
  • https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt

Credit

Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-5674CVE-2016-5675CVE-2016-5676CVE-2016-5677CVE-2016-5678CVE-2016-5679CVE-2016-5680
  • Date Public:04 Aug 2016
  • Date First Published:04 Aug 2016
  • Date Last Updated:05 Aug 2016
  • Document Revision:37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/856152

CWE : Common Weakness Enumeration

%idName
29 %CWE-20Improper Input Validation
14 %CWE-798Use of Hard-coded Credentials (CWE/SANS Top 25)
14 %CWE-285Improper Access Control (Authorization)
14 %CWE-200Information Exposure
14 %CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
14 %CWE-78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application8
Application4
Os19
Os19

SAINT Exploits

DescriptionLink
NETGEAR ReadyNAS Surveillance Command ExecutionMore info here

Snort® IPS/IDS

DateDescription
2016-12-20Netgear ReadyNAS Surveillance cgi_system administrator password reset attempt
RuleID : 40815 - Revision : 2 - Type : SERVER-WEBAPP
2016-10-01Netgear ReadyNAS Surveillance cgi_main stack buffer overflow attempt
RuleID : 39982 - Revision : 2 - Type : SERVER-WEBAPP
2016-10-01Netgear ReadyNAS Surveillance cgi_main stack buffer overflow attempt
RuleID : 39981 - Revision : 2 - Type : SERVER-WEBAPP
2016-10-01Netgear ReadyNAS Surveillance cgi_main command injection attempt
RuleID : 39980 - Revision : 2 - Type : SERVER-WEBAPP
2016-10-01Netgear ReadyNAS Surveillance cgi_main command injection attempt
RuleID : 39979 - Revision : 2 - Type : SERVER-WEBAPP
2016-10-01Netgear ReadyNAS Surveillance cgi_main command injection attempt
RuleID : 39978 - Revision : 2 - Type : SERVER-WEBAPP
2016-09-13Netgear ReadyNAS Surveillance handle_daylightsaving command injection attempt
RuleID : 39848 - Revision : 2 - Type : SERVER-WEBAPP
2016-09-13Netgear ReadyNAS Surveillance handle_daylightsaving command injection attempt
RuleID : 39847 - Revision : 2 - Type : SERVER-WEBAPP
2016-09-13Netgear ReadyNAS Surveillance debugging_center_utils command injection attempt
RuleID : 39846 - Revision : 2 - Type : SERVER-WEBAPP
2016-09-13Netgear ReadyNAS Surveillance debugging_center_utils command injection attempt
RuleID : 39845 - Revision : 2 - Type : SERVER-WEBAPP

Metasploit Database

idDescription
2016-08-04 NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Unauthenticated Remote Code Execution
2016-08-04 NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset
2016-08-04 NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution

Alert History

If you want to see full details history, please login or register.
0
1
2
3
DateInformations
2016-09-01 00:25:46
  • Multiple Updates
2016-08-31 21:27:37
  • Multiple Updates
2016-08-06 00:23:23
  • Multiple Updates
2016-08-04 17:23:44
  • First insertion