A critical vulnerability in software from a global vendor of video surveillance equipment puts at risk the security of video feeds from over 100 camera brands and more than 2,500 camera models.
Adversaries exploiting the security bug could take complete control of the affected equipment, allowing them to monitor, modify or disable video surveillance footage.
Jacob Baines, senior research engineer at cybersecurity company Tenable, discovered in NVRMini2's video management software an unauthenticated stack buffer overflow that leads to remote code execution.
Dubbed Peekaboo, the vulnerability is now tracked as CVE-2018-1149 and received a critical severity score.
NVRMini2 is a portable network video recorder (NVR) that doubles as a NAS (network attached storage) device, created by NUUO, a company that offers it to partners under an OEM license or as a white-label.
NUUO products, both software and hardware, are used for web-based surveillance in various industries (retail, banking, transportation, education, government).
For this reason, the total number of devices impacted is difficult to estimate. However, according to information from NUUO, the company has over 100,000 installations deployed worldwide.
"Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage," Tenable writes in a blog post.
A patch is not currently available, but the NVR maker says that it is working on a solution. Administrators of the video surveillance equipment are advised to restrict access to the network with vulnerable devices to authorized users only.
Baines developed proof-of-concept code that demonstrates how Peekaboo could be exploited and made it publicly available. If history taught us something, soon we should see it it integrated in Mirai-based malware.
Tenable made a short video that explains how the vulnerability works:
Tenable discovered a second vulnerability (CVE-2018-1150) in NUUO's NVR devices, which is a backdoor that enables listing of all user accounts on the system and changing their passwords.
Unlike Peekaboo, which can be exploited remotely, taking advantage of the CVE-2018-1150 bug requires presence on the local network.
The researchers say are not sure if how the backdoor got in the firmware: it could be the result of leftover code or it could be planted by someone with malicious intent.