An unpatched five-year-old authentication bypass flaw discovered in TBK DVR video recording devices is being exploited in the wild to steal sensitive footage from corporate networks. Fortinet’s FortiGard Labs is observing an uptick in hacking attempts against these devices as threat actors leverage a publicly available PoC exploit to target vulnerable servers.
TBK Vision’s website claims that its products are deployed across organizations in the banking, government, and retail sectors, which makes them vulnerable to sophisticated attacks.
About the vulnerability
The vulnerability in question is tracked as CVE-2018-9995, which is a critical authentication bypass issue that could be exploited by remote attackers to gain access to the impacted network.
- It has a CVSS score of 9.8 and arises due to an error the camera experiences when handling a maliciously-crafted HTTP cookie.
- A remote attacker can also exploit the flaw to bypass authentication and obtain administrative privileges that eventually leads to accessing camera video feeds.
Besides, the Fortinet team noticed that there are no security patches provided despite being a five-year-old flaw.
How widespread is the impact?
- Researchers observed more than 50,000 attack attempts on TBK DVR devices with unique IPS detections last month.
- The flaw impacts the TBK DVR4104 and TBK DVR4216 product lines, which are also rebranded and sold under the names Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login.
Another notable spike
Besides this, the team has also detected a spike in attack attempts against MVPower CCTV DVR models. The attackers are exploiting a remote code execution flaw (CVE-2016-20016) in MVPower models TV-7104HE and TV-7108HE to perform unauthenticated command execution using malicious HTTP requests. The flaw is under active exploitation since 2017. In this case, too, the vendor has not issued a patch to fix the vulnerability.
Conclusion
With publicly available PoC exploit codes, tens of thousands of these vulnerable DVR devices available under different brands make an easy target for attackers. Unfortunately, there are no security updates to address these flaws. Therefore, it is advised to replace vulnerable surveillance systems with actively supported models to prevent unauthorized access.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/b70f_shutterstock_1952991871.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1d89_shutterstock_2248618607.jpg)
