Multiple vulnerabilities, including a zero-day, have been uncovered in NUUO NVRMini2 video software that, if exploited, could expose thousands of surveillance cameras to remote code execution, allowing the video feed to be viewed and altered by unauthorised people.
"The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe. As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organisations," said Tenable CTO and co-founder Renaud Deraison.
NUUO versions 3.9.0 and earlier are affected.
The first problem, CVE-2018-1149, is that the implemented session handling mechanism doesn’t validate the user’s input properly, which an attacker can exploit to trigger stack overflow in session management routines in order to execute arbitrary code. Next, the NUUO NVRMini2 web server, CVE-2018-1150, contains a backdoor PHP code that when enabled would allow an unauthorised individual to change a password for any registered user except the system administrator.
Tenable said it has notified NUUO of the issues and although a patch has not been issued by that company it did say one is under development. In the meantime, Tenable is recommending those using the vulnerable devices disconnect them from the internet or update the software to version 3.9.1.
"Unfortunately, many users will be unaware that their devices are vulnerable because NUUO software is also integrated into products from other vendors. In these cases, users should contact their video surveillance vendors to confirm whether they are exposed and when a patch will be released," Tenable said.
The company has also created a plug in to assess whether or not a system is at risk.