Multiple digital Video Recorder (DVR) devices have been identified with a critical security vulnerability, leaving over 408,000 units exposed to potential cyber-attacks.
The flaw, primarily affecting models such as TVT DVR TD-2104TS-CL, TD-2108TS-HP, Provision-ISR DVR SH-4050A5-5L(MM), and AVISION DVR AV108T, allows unauthorized access to sensitive device information due to insufficient access controls on the devices’ web servers.
The vulnerability, categorized under CWE-200: Information Exposure, can be exploited through a specific endpoint (/queryDevInfo).
This endpoint can be accessed without proper authentication, revealing detailed device information, including hardware and software versions, serial numbers, and network configurations, as per a report by Netsecfish.
Affected Devices and Software Versions
The vulnerability impacts a wide range of DVR devices, with the following models and software versions being particularly susceptible:
Hardware Models:
- TVT DVR TD-2104TS-CL
- TVT DVR TD-2108TS-HP
- Provision-ISR DVR SH-4050A5-5L(MM)
- AVISION DVR AV108
Software Versions:
- 1.3.4.22966B181219.D00.U1(4A21S)
- 1.3.4.24513B190218.D00.U1(8A21S)
- 1.3.3.20657B180918.D06.U2(4A41T)
- 1.3.4.24879B190222.D00.U2(8A21S)
- 1.3.4.22966B181219.D14.U1(8A41T)
- 1.3.4.22966B181219.D44.U1(16A82T)
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Provision-ISR has acknowledged the issue, stating that it resulted from a collaborative effort with TVT. The company is currently working on mitigation strategies to address the vulnerability.
Exploitation and Mitigation
Exploiting this vulnerability is relatively straightforward. Attackers can retrieve sensitive information by sending a crafted POST request to the vulnerable endpoint.
A sample exploitation command is as follows:
bash
curl -X POST "http:///queryDevInfo"
-H "Accept-Language: en-US,en;q=0.9"
-H "Accept-Encoding: gzip, deflate"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Upgrade-Insecure-Requests: 1"
-H "Connection: keep-alive"
-H "User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS like Mac OS X) AppleWebKit (KHTML, like Gecko) Version Mobile Safari"
-H "Content-Length: 103"
-d ' '
Security experts advise affected device users to restrict network access to the DVRs, apply available patches, and monitor for unusual activity. Manufacturers are urged to release firmware updates that address these security flaws promptly.
As the digital landscape evolves, ensuring robust security measures for IoT devices remains important.
This incident underscores the critical need for manufacturers to prioritize security in their product designs and for users to stay vigilant against potential vulnerabilities.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access