Security researchers have discovered another critical bug in IoT security camera systems that could allow attackers to hijack devices.
Nozomi Networks found remote code execution vulnerability CVE-2021-32941 in the web service of the Annke N48PBB network video recorder (NVR) — used by consumers and businesses.
NVRs are an important part of any connected security camera system in that they’re designed to capture, store and manage incoming video feeds from IP cameras.
If exploited, the vulnerability could cause a stack-based buffer overflow, allowing an unauthenticated, remote attacker to access sensitive information and execute code, according to an ICS advisory from the Cybersecurity and Infrastructure Security Agency (CISA).
Nozomi Networks said this could lead to a loss of confidentiality, integrity and device availability. In practice, this means enabling attackers to snoop on or delete footage, change the configuration of motion detector alarms, or halt recording altogether.
As such, a cyber-attack exploiting CVE-2021-32941 could be used to support physical robberies of premises protected by Annke devices.
The bug itself could be exploited directly by attackers to elevate privileges on the system and indirectly in drive-by-download attacks.
“It is sufficient for an administrator, operator, or user to browse a specifically crafted webpage, while simultaneously logged in to the web interface of the device, to potentially cause the execution of external malicious code on the device itself,” warned Nozomi.
Fortunately, Annke acted quickly to fix the issue, releasing new firmware to patch the problem just 11 days after Nozomi’s responsible disclosure.
This is the second critical flaw affecting IoT cameras that Nozomi Networks has found this summer. Back in June it warned of a bug in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, and baby and pet monitoring cameras.
This could also have allowed attackers to eavesdrop on users.
Another vulnerability was found in ThroughTek’s Kalay platform just last week, affecting potentially millions of devices.