Nuuo and Netgear video surveillance recorders affected by multiple flaws

The US-CERT warns of the presence of multiple flaws in the Nuuo NVRmini and other network video recorders of the same vendor.

The US-CERT has issued a security advisory related to the presence of multiple vulnerabilities in the Web interface of a Netgear ReadyNAS Surveillance video recorder and various devices manufactured by the video recording company NUUO.

The vulnerable devices produced by NUUO are NVRmini 2, NVRsolo, and Crystal. All the affected products are Network Video Recording (NVR) systems with Network Attached Storage (NAS) functionality for managing IP cameras.

The flaws were discovered by Pedro Ribeiro from Agile Information Security.

“NUUO NVRmini 2, NVRsolo, and Crystal, and Netgear ReadyNAS Surveillance products have web management interfaces containing multiple vulnerabilities that can be leveraged to gain complete control of affected devices.” states the security advisory issued by the CERT.

The experts at the CERT warn about possible exploitation of the flaws that can give the attackers the complete control over the surveillance devices. The flaws range from input validation issues to buffer overruns.

The web management interface of affected devices contains a hidden page, __debugging_center_utils__.php, that doesn’t validate correctly the input. The page fails to validate the log parameter and passes it as input to the PHP system() function.

An unauthenticated attacker may exploit the Improper Input Validation (CVE-2016-5674) by sending a specially crafted request to execute arbitrary code with root privileges.

Source | securityaffairs