Malicious hackers could access and delete footage or disable cameras
UPDATED A remote code execution (RCE) vulnerability in a network video recorder (NVR) manufactured by Annke could result in a complete compromise of the IoT device.
The critical flaw (CVE-2021-32941) was discovered in the playback functionality of NVR model N48PBB, which captures and records live streams from up to eight IP security cameras and provides centralized, remote management of video surveillance systems.
Security camera operators with susceptible installations have been urged to update their firmware as soon as possible to avoid the havoc attackers could potentially wreak.
YOU MIGHT ALSO LIKE Rampant misconfigurations in Microsoft Power Apps exposed 38 million records
According to a blog post published yesterday (August 26) by Nozomi Networks, unauthenticated attackers could access “private information recorded on videos, obtain the position of valuable assets, or stalk people”.
Miscreants could also delete video footage, reconfigure motion detection alarms, disable specified cameras, or shut down the NVR altogether.
Annke, which is headquartered in Hong Kong, claims its security cameras, NVRs, and related accessories have been used by five million businesses or homeowners worldwide.
Researchers initially found a Denial of Service (DoS) flaw when fuzzing HTTP requests sent by the client to search camera footage. This finding prompted them to debug the system at the hardware level.
This ultimately gave them unrestricted SSH access and led them to a vulnerable function – ‘sscanf’ – that yielded a stack-based buffer overflow.
The output of the Unix ‘ps’ program then confirmed that the binary ran with root privileges, transforming the memory corruption bug into an RCE that is CVSS-rated as 9.4.
“As the [video] search functionality is accessible by all users of the device by default, the vulnerability could be exploited (on unpatched NVRs) directly by malicious operators, or users, to elevate their privileges on the system,” said Nozomi Networks.
An absence of anti-CSRF (cross-site request forgery) mitigations in the playback functionality also means “the vulnerability could be exploited indirectly by external attackers in ‘drive-by download’ attacks”.
‘Fast response time’
Nozomi Networks alerted Annke to the flaw on July 11, 2021, and the vendor released firmware addressing the vulnerability on July 22. “This is a notably fast response time, and we applaud Annke for it,” said Nozomi Networks.
The flaw affects V3.4.106 build 200422 and all previous versions.
A spokesperson for Annke told The Daily Swig: “Customers’ privacy is our top priority. When we noticed the issue, our R&D team investigated the issue immediately, and released the firmware update for the specific NVR at once.
“The firmware update is now available on our ANNKE official online store and we have announced the update on our forum.”
The US Cybersecurity and Infrastructure Agency’s own advisory on the vulnerability offers mitigations for vulnerable systems and reports no evidence, as yet, of in-the-wild exploitation.
Security through transparency
Nozomi Networks has advised video surveillance teams to ensure they’re running an IoT and OT (operational technology) network monitoring solution and to consider “privacy laws applicable in the jurisdiction of the vendors” when purchasing security camera systems.
“This is yet another example of how impactful a security vulnerability can be when affecting an IoT camera system,” Nozomi Networks Labs told The Daily Swig.
“Considering that many critical sectors (industry, transportation, public places and utilities, to cite a few) depend on these devices for surveillance and monitoring of sensitive areas, and the expected growth in the future, it is more paramount than ever that asset owners are provided by vendors with full transparent solutions which do not rely on security-through-obscurity approaches.”
This article was updated on August 31 with additional comments from Annke.