CERTVU:667480AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.006 Low
EPSS
Percentile
79.2%
Overview
AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure.
Description
AVer Information EH6108H+ hybrid DVR is an IP security camera management system and streaming video recorder. Version X9.03.24.00.07l and possibly earlier are reported to contain multiple vulnerabilities.
CWE-798: Use of Hard-coded Credentials - CVE-2016-6535
AVer Information EH6108H+ reportedly contains two undocumented, hard-coded account credentials. Both accounts have root privileges and may be used to gain access via an undocumented telnet service that cannot be disabled through the web user interface and runs by default.
CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536
By guessing the handle parameter of the /setup page of the web interface, an unauthenticated attacker reportedly may be able to access restricted pages and alter DVR configurations or change user passwords.
CWE-200: Information Exposure - CVE-2016-6537
User credentials are reported to be stored and transmitted in an insecure manner. In the configuration page of the web interface, passwords are stored in base64-encoded strings. In client requests, credentials are listed in plain text in the cookie header.
For more information, refer to the researcher’s disclosure.
Impact
A remote, unauthenticated attacker may be able to gain access with root privileges to completely compromise vulnerable devices.
Solution
The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks.
Vendor Information
667480
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
AVer Information Affected
Notified: May 16, 2016 Updated: September 08, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 9 | E:F/RL:U/RC:UR |
| Environmental | 2.3 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- <http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/>
- <https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-and-more>
- <https://cwe.mitre.org/data/definitions/798.html>
- <https://cwe.mitre.org/data/definitions/302.html>
- <https://cwe.mitre.org/data/definitions/200.html>
Acknowledgements
Thanks to Travis Lee for reporting these vulnerabilities.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2016-6535, CVE-2016-6536, CVE-2016-6537 |
|---|---|
| Date Public: | 2016-09-13 Date First Published: |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.006 Low
EPSS
Percentile
79.2%