- ‘Peekaboo’ is a stack buffer overflow zero-day vulnerability and is assigned as CVE-2018-1149.
- The bug can allow attackers to steal data including credentials, IP addresses, port usages and the model numbers of IoT video and security cameras.
A new zero-day vulnerability called Peekaboo was just discovered affecting security cameras and surveillance equipment that use the NUUO software. The bug is assigned as CVE-2018-1149 and can allow attackers to execute code remotely in the software.
Peekaboo is a stack buffer overflow vulnerability which when exploited, can allow attackers to view and tamper with video feeds recorded on internet connected surveillance cameras. Successful exploitation of the bug can also allow attackers to steal data including credentials, IP addresses, port usages, and device model numbers.
In addition, the bug can also allow attackers to disable cameras or replace the footage with a static image.
“The remote code execution vulnerability especially is of particular concern. Once exploited, Peekaboo gives cybercriminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras,” security researchers at Tenable, who discovered and disclosed the flaw, wrote in their blog post. “Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.”
The vulnerability was successfully tested on NVRMini 2 - a network-attached storage device and network video recorder.
Commenting on the impact Peekaboo could have, Gavin Millard, VP of threat intelligence at Tenable, told ZDNet that the bug is estimated to affect hundreds of thousands of web-based cameras and devices across the world. Organizations worldwide, including shopping centers, hospitals, banks, and public areas rely on NUUO software - which hints at the potential scale of Peekaboo’s impact.
NUUO is currently working on addressing the issue. However, until then Tenable has advised users to restrict network access to vulnerable devices.
“NUUO has informed Tenable that a patch is being developed and affected customers should contact NUUO for further information. In the meantime, we advise affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only,” Tenable researchers said.