CERTVU:899080Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.069 Low
EPSS
Percentile
94.0%
Overview
Digital Video Recorders (DVRs), security cameras, and possibly other devices from multiple vendors use a firmware derived from Zhuhai RaySharp that contains a hard-coded root password.
Description
CWE-259**: Use of Hard-coded Password**** -**CVE-2015-8286
According to the reporter, DVR devices based on the Zhuhai RaySharp firmware contain a hard-coded root password. Remote attackers with knowledge of the password may gain root access to the device.
Furthermore, it was previously reported publicly that many of these devices enable remote access via telnet or port 9000 by default.
The CERT/CC has not been able to confirm this information directly with Zhuhai RaySharp. The Vendor List below provides more information on each manufacturer that was reported to be vulnerable.
The reporter, Risk Based Security, has provided security advisory RBS-2016-001 with more information.
Impact
An unauthenticated remote attacker may gain root access to the device.
Solution
Apply an update if possible
Some vendors have released updated firmware to address this issue. Please contact your device manufacturer for more information. The Vendor List below provides more information on each manufacturer that was reported to be vulnerable.
If your vendor does not have an updated firmware available at this time, you may consider the following mitigations:
Restrict network access
Use a firewall or similar technology to restrict access to trusted hosts, networks, and services.
Vendor Information
899080
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Swann __ Affected
Notified: September 22, 2015 Updated: February 19, 2016
Statement Date: February 19, 2016
Status
Affected
Vendor Statement
"`We are reaching out to Raysharp for firmware updates to further secure the older units but as the technology they were based on is now well and truly out of production this will take some time.
Until such time as Swann are able to secure updated firmware for these models we recommend that the units are disconnected from the user’s network to prevent malicious access. If the user requires remote access to their unit then we recommend that the user changes the numbers of the internal network “Ports” to use non-standard values that are not easily discovered and make random access very difficult. Swann’s Tech Center can help guide users through this process if necessary.`"
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
While some Swann models use Raysharp code, Swann has stated that they do not use the same default hard-coded credentials provided by Raysharp. However, the credentials are still hard-coded.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23899080 Feedback>).
Zhuhai RaySharp Affected
Notified: September 09, 2015 Updated: February 17, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Axis Communications __ Not Affected
Notified: February 09, 2016 Updated: February 12, 2016
Statement Date: February 12, 2016
Status
Not Affected
Vendor Statement
“Axis does not use nor include any of the code or products [RaySharp] described”.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hanwha __ Not Affected
Notified: February 09, 2016 Updated: February 12, 2016
Statement Date: February 12, 2016
Status
Not Affected
Vendor Statement
“Our product do not use firmware from Zhuhai RaySharp.”
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
COP USA Unknown
Notified: September 09, 2015 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CWD __ Unknown
Notified: September 23, 2015 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
CWD makes Defender-USA products.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23899080 Feedback>).
KGuard Security Unknown
Notified: September 09, 2015 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Konig Electronics Unknown
Notified: September 23, 2015 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Lorex Corporation Unknown
Notified: September 09, 2015 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 8.5 | E:POC/RL:U/RC:UR |
| Environmental | 6.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <https://www.riskbasedsecurity.com/research/RBS-2016-001.pdf>
- <http://www.forbes.com/sites/andygreenberg/2013/01/28/more-than-a-dozen-brands-of-security-camera-systems-vulnerable-to-hacker-hijacking/>
- <http://seclists.org/bugtraq/2015/Jun/117>
- <http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html>
Acknowledgements
Thanks to Carsten Eiram of Risk Based Security for reporting these vulnerabilities.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2015-8286 |
|---|---|
| Date Public: | 2016-02-17 Date First Published: |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.069 Low
EPSS
Percentile
94.0%