Five years ago, security researcher Fernandez Ezequiel discovered a vulnerability (CVE-2018-9995) in many digital video recorder (DVR) brands and released a tool for exploiting it.
The vulnerability is still being exploited in the wild, FortiGuard Labs warns: the company’s intrusion prevention systems have registered 50,000+ unique exploitation attempts in the past month.
About CVE-2018-9995
CVE-2018-9995 is an authentication bypass vulnerability that can be triggered with a simple exploit sent via a maliciously crafted HTTP cookie to a vulnerable DVR device. The device responds by sending back the device’s admin credentials in clear text (i.e., unencrypted).
With those credentials in hand, the attacker can access the DVR device, take it over, and access to connected camera’s live video feeds.
The vulnerability was found in TBK Vision’s DVR4104 and DVR4216 devices.
“According to the NIST NVD database, TBK DVR4104 and DVR4216 devices are also rebranded and sold as other brands such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR,” FortiGuard Labs pointed out.
The pool of potentially exploitable devices may be considerable.
“With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers. The recent spike in IPS detections shows that network camera devices remain a popular target for attacker,” the company said.
“FortiGuard Labs is not aware of any patches provided by the vendor and recommends organizations to review installed models of CCTV camera systems and related equipment for vulnerable models.”
Users can also protect their devices by limiting access to their DVR’s management interface – that is, make access possible only from specific IP addresses.
Fortinet has also noticed a spike in attempted exploitation of another old command Injection vulnerability (CVE-2016-20016), which affects MVPower digital video recorders.