NUUO and Netgear Network Video Recorder (NVR) products web interfaces contain multiple vulnerabilities

Overview

NUUO NVRmini 2, NVRsolo, Crystal, and Netgear ReadyNAS Surveillance products have web management interfaces containing multiple vulnerabilities that can be leveraged to gain complete control of affected devices.

Description

NUUO NVRmini 2, NVRsolo, and Crystal, and Netgear ReadyNAS Surveillance are Network Video Recording (NVR) systems with Network Attached Storage (NAS) functionality for managing IP cameras. The web management interfaces of these products are reported to contain multiple vulnerabilities. Note that additional products not identified here may be vulnerable if they use the same web interface; firmware versions earlier than those specified below may also be vulnerable.

CWE-20: Improper Input Validation - CVE-2016-5674

The web management interfaces of affected devices contains a hidden page, __debugging_center_utils__.php, that fails to properly validate the log parameter and passes it as input to the PHP system() function. An unauthenticated attacker may make a specially crafted request to execute arbitrary code as root:

http://<IP>/__debugging_center_utils___.php?log=something%3b<payload>

CVE-2016-5674 has been confirmed by the researcher to affect the NUUO NVRmini 2 and NVRsolo, versions 1.7.5 to 3.0.0, and the ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1. The CVSS score below describes CVE-2016-5674.

CWE-20: Improper Input Validation - CVE-2016-5675

The handle_daylightsaving.php page does not sanitise the NTPServer parameter, which is processed by the PHP system() function. Authenticated attackers may leverage this vulnerability to execute arbitrary code as root:

http://<IP>``/handle_daylightsaving.php?act=update&NTPServer=something%3b<payload>

CVE-2016-5675 has been confirmed by the researcher to affect:

* NUUO NVRmini 2, versions 1.7.5 to 3.0.0
* NUUO NVRsolo, versions 1.0.0 to 3.0.0
* NUUO Crystal, versions 2.2.1 to 3.2.0
* ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1

CWE-285: Improper Authorization - CVE-2016-5676

The cgi_system binary can be called directly and given commands by anyone capable of accessing the web interface. To reset the administrator account password, for example, an unauthenticated attacker can make a request to:

http://<IP>/cgi-bin/cgi_system?cmd=loaddefconfig

CVE-2016-5676 has been confirmed by the researcher to affect NUUO NVRmini 2 and NVRsolo versions 1.7.5 to unknown (versions 2.2.1 and 3.0.0 require authentication), and ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1.

CWE-200: Information Exposure - CVE-2016-5677

Potentially sensitive system information is exposed by the hidden page, __nvr_status___.php. The page is accessible to all users via page-specific hard-coded credentials, nuuoeng:qwe23622260.

CVE-2016-5677 has been confirmed by the researcher to affect:

* NUUO NVRmini 2, versions 1.7.5 to 3.0.0
* NUUO NVRsolo, versions 1.0.0 to 3.0.0
* ReadyNAS Surveillance, both x86 and ARM versions 1.1.1 to v1.4.1

CWE-798: Use of Hard-Coded Credentials - CVE-2016-5678

According to the researcher, NUUO NVRmini 2 and NVRsolo versions 1.0.0 to 3.0.0 contain hard-coded credentials. An attacker with knowledge of these credentials may log into affected devices with root privileges.

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) - CVE-2016-5679

The sn parameter of the transfer_license command in cgi_main does not properly validate user-provided input. An authenticated attacker may make a specially crafted request to execute arbitrary commands:

http://<IP>/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=";<command>;#

According to the researcher, NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance version 1.1.2 are affected. Note that this vulnerability can be exploited by any user locally, but requires an administrator account for remote exploitation.

CWE-121: Stack-based Buffer Overflow - CVE-2016-5680

The sn parameter of the transfer_license command in cgi_main also contains a stack-based buffer overflow vulnerability. An authenticated attacker may send a specially crafted request to overflow the buffer and execute arbitrary code:

http://<IP>/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=<payload>

NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance x86 version 1.1.2 is affected, according to the researcher. CVE-2016-5680 can be exploited by any user locally, but requires an administrator account for remote exploitation.

For more information about these vulnerabilities, refer to Pedro Ribeiro’s disclosure.

Impact

A remote, unauthenticated attacker can make specially crafted requests to execute arbitrary commands as root.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Users should consider the following workarounds.

---

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

---

Vendor Information

856152

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

NUUO __ Affected

Notified: March 03, 2016 Updated: August 02, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

NUUO NVRmini 2, NVRsolo, and Crystal are affected.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23856152 Feedback>).

Netgear, Inc. __ Affected

Notified: June 13, 2016 Updated: August 02, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Netgear ReadyNAS Surveillance is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23856152 Feedback>).

CVSS Metrics

Group	Score	Vector
Base	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	9	E:F/RL:U/RC:UR
Environmental	7.0	CDP:LM/TD:M/CR:L/IR:H/AR:H

References

• http://www.nuuo.com/ProductNode.php?stid=0001&node=2
• http://www.nuuo.com/ProductNode.php?stid=0002&node=13
• http://www.nuuo.com/ProductNode.php?stid=0001&node=14
• <https://www.netgear.com/business/products/storage/readynas/readynas-surveillance.aspx&gt;
• <https://cwe.mitre.org/data/definitions/20.html&gt;
• <https://cwe.mitre.org/data/definitions/285.html&gt;
• <https://cwe.mitre.org/data/definitions/200.html&gt;
• <https://cwe.mitre.org/data/definitions/798.html&gt;
• <https://cwe.mitre.org/data/definitions/78.html&gt;
• <https://cwe.mitre.org/data/definitions/121.html&gt;
• <https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt&gt;

Acknowledgements

Thanks to Pedro Ribeiro ([email protected]) of Agile Information Security for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2016-5674, CVE-2016-5675, CVE-2016-5676, CVE-2016-5677, CVE-2016-5678, CVE-2016-5679, CVE-2016-5680
Date Public:	2016-08-04 Date First Published: