Multiple vulnerabilities, including a zero-day, have been uncovered in NUUO NVRMini2 video software that, if exploited, could expose thousands of surveillance cameras to remote code execution, allowing the video feed to be viewed and altered by unauthorized people.
The flaws, dubbed Peekaboo, were discovered by Tenable Research and potentially affect more than 100 brands and 2,500 camera models. NUUO software and devices are commonly used for commercial web-based video monitoring and surveillance. The vulnerabilities could allow attackers to increase their privileges to a level where the they could not only disconnect the live feed, but also replace it with something entirely different like a static image in order to confuse security personnel.
“The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe. As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organizations,” said Tenable CTO and co-founder Renaud Deraison.
NUUO versions 3.9.0 and earlier are affected.
The first problem, CVE-2018-1149, is that the implemented session handling mechanism doesn't validate the user's input properly, which an attacker can exploit to trigger stack overflow in session management routines in order to execute arbitrary code. Next, the NUUO NVRMini2 web server, CVE-2018-1150, contains a backdoor PHP code that when enabled would allow an unauthorized individual to change a password for any registered user except the system administrator.
Tenable said it has notified NUUO of the issues and although a patch has not been issued by that company it did say one is under development. In the meantime, Tenable is recommending those using the vulnerable devices disconnect them from the internet or update the software to version 3.9.1.
“Unfortunately, many users will be unaware that their devices are vulnerable because NUUO software is also integrated into products from other vendors. In these cases, users should contact their video surveillance vendors to confirm whether they are exposed and when a patch will be released,” Tenable said.
The company has also created a plug in to assess whether or not a system is at risk.