Vulnerability that would allow an attacker to manipulate CCTV cameras
Researchers discovered vulnerability in software of the firm NUUO used for CCTV security cameras that would allow third parties to spy, manipulate videos and implant malware. The company has already released a patch that repairs the bug.
Tenable researchers recently discovered a critical vulnerability, called Peekaboo, that affects software used for recording videos and is part of a solution for CCTV systems offered by the NUUO firm. This failure would allow an attacker to access video logs and alter the recordings by being able to execute malicious code remotely. The company has already released a patch to solve this vulnerability that can be downloaded from the official site.
Right inside the software
The vulnerability affects the software used by NVRMini2, which is a network storage device that records video in digital format and is used for CCTV security cameras. Once it is exploited, it would allow an attacker to access the control system, which is equivalent to accessing the credentials for all connected security cameras, disconnecting them and making changes to the recordings of the recordings.
Assigned with CVE-2018-1149, this buffer overflow vulnerability would allow an attack that would allow access to the Common Input Interface (CGI) used by the camera's web server, which acts as intermediate point between a remote user and the web server. According to the investigation, the CGI does not adequately validate the user's entry and allows access to a part of the camera's web server and execute code arbitrarily.
In addition, a second vulnerability (CVE-2018-1150) takes advantage of a failure in the NVRMini2 application that contains a backdoor that can be used by an attacker to connect to the web server. Once backdoor is enabled within the PHP code, it allows an unauthenticated attacker to modify passwords of any registered user, except the system administrator.
A big company responsability
NUUO is a leading company in the video surveillance industry and these types of devices have more than 100,000 installations throughout the world. In addition, its software is used by third-party surveillance systems. In this sense, taking into account that with the NVRmini 2 solution it is possible to have up to 16 CCTV cameras connected, the number of devices that can be affected is hundreds of thousands.
The company announced in a statement the corresponding updates that must be installed manually to avoid being a victim of the exploitation of these vulnerabilities