"Peekaboo" flaw opens up scores of network CCTV recorders

A popular network video recorder for surveillance cameras contains an easily exploitable critical remote code execution vulnerability that could allow attackers to view feeds, and tamper with recorded material, security researchers have found.

Security vendor Tenable located a critical unauthenticated stack buffer overflow bug in the web-based admin interface for NUOO's NVRMini2 network recorder for surveillance video cameras.

Dubbed "Peekaboo" by Tenable, the critical flaw has been rated at 10.0, the highest on the Critical Vulnerabilities Scoring System (CVSS) for rating vulnerabilities.

It's been given the Common Vulnerabilities and Exposure index of CVE-2018-1149. 

NVRMini2 runs an open source web server that supports executable binary code via the common gateway interface (CGI) handler, which is accessible via an HTTP URL.

"During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprint function.

"This vulnerability allows for remote code execution with 'root' or administrator privileges," Tenable wrote.

Successful exploitation of the Peekaboo flaw gives attackers access to the device control management system and exposes credentials to all connected CCTV cameras, Tenable said.

Once in control, attackers can disconnect live camera feeds and tamper with security footage, which could lead to unauthorised entry into guarded areas going undetected.

Furthermore, leftover debug code in the NVRMini2 contains a backdoor, which allows attackers to list all user accounts on a system and change their passwords, Tenable said.

Tenable said hundreds of thousands of devices made by NUOO, both under its own brand and white-labelled to other vendors, are insecure and need to be updated.

NUOO lists government organisations and enterprise and business users of its cameras in multiple countries around the world, albeit not in Australia.

The company is preparing a patch for the vulnerability, and advised customers to contact it for further information.

Tenable advised customers to restrict network access to vulnerable devices, to authorised and legitimate users only.

Insecure Internet of Things (IoT) devices have become popular attack vectors as they frequently run unpatched software and firmware with critical vulnerabilities.

The Mirai and derivative malware pressganged thousands of internet-connected cameras around the world into a distributed denial of service botnet, causing network outages in eastern United States as networks were overwhelmed with bogus data.