The vulnerability research team at Digital Defense announced that it has discovered a zero-day vulnerability in the Nuuo NVRmini 2 network video recorder (NVR) firmware, software used by hundreds of thousands of surveillance cameras worldwide.
Reportedly caused by “improper sanitization of user-supplied inputs and lack of length checks on data used in unsafe string operations on local stack variables,” the flaw ("lite_mv" Remote Stack Overflow in NUUO NVRmini2 3.9.1) would allow an attacker to gain remote access as an unauthenticated user. The attacker could then execute arbitrary code with root privileges.
According to the researchers, NVRmini2 firmware version 3.9.1 and prior is vulnerable to an unauthenticated remote buffer overflow that could potentially be leveraged by an attacker. Exploiting the vulnerability could allow an attacker to modify the camera feeds to the NVR and change its configuration or recordings.
A patch has since been issued, and Digital Defense commended NUUO for its swift response in providing fixes to the security issue.
In related news, Tenable researcher David Wells recently disclosed a vulnerability (CVE-2018-15715) in Zoom applications for Windows and macOS that could also be exploited by an unauthorized user to invoke functions normally reserved for Zoom servers.
The two disclosed vulnerabilities in NVRs are indicative of the potential security problems in these internet of things (IoT) devices. According to Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), NVRs are one of the earliest types of connected devices to be successful in the market.
Because they were so early to market, many of these systems haven’t evolved, making them vulnerable to the same types of basic flaws, Young said. “Anyone using the Nuuo NVRmini 2 needs to prioritize patch deployment for affected systems, regardless if the device is directly exposed to the Internet.
"This can be exploited with an unauthenticated HTTP request, and attackers can craft malicious web pages which search local networks for affected systems to compromise. This type of attack is known as cross-site request forgery and can come from malicious emails, advertisements, and even comment spam.”