Patch/Configuration Management, Vulnerability Management

NUUO NVRmini2 Network Video Recorder firmware vulnerability allows arbitrary code

A vulnerability in NUUO NVRmini2 Network Video Recorder firmware.​NVRmini2 firmware version 3.9.1 and prior could allow an unauthenticated remote attacker to execute arbitrary code on the system with root privileges.

The product is vulnerable to an unauthenticated remote buffer overflow caused by the improper sanitizations of user-supplied inputs and a lack of length checks on data used in unsafe string operations on local stack variables, according to a Nov. 29 press release.

An attacker could exploit this flaw to access and/or modify the camera feeds to the NVR and change the configuration or recordings on the NVR.

NUUO has since released a patch for the vulnerability which could be downloaded from the company website.  

“NUUO has worked closely with our VRT to ensure a fix is available to organizations utilizing the affected firmware,” Tom DeSot, executive vice president and CIO at Digital Defense, said “ NUUO’s rapid response to the identification of the issue and collaboration has resulted in a quick resolution.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.