Lucene search

HistoryJun 26, 2024 - 12:00 a.m.

Hanwha Vision NVR Remote Code Execution (CVE-2023-6116)

2024-06-2600:00:00

www.tenable.com

hanwha vision nvr

remote code execution

cve-2023-6116

injection

arbitrary attack code

http url parameters

stack memory

firmware version

configuration option

authentication

tenable.ot scanner.

8.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

An attacker could inject arbitrary attack code by manipulating http url parameters. However, in order to succeed in the attack, the base address of the stack memory must be obtained. The default address depends on firmware version, configuration option information, and the attack is unlikely to succeed. Nevertheless, we believe that this vulnerability has a significant impact on the product because it allows arbitrary attacks without authentication.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(502277);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/27");

  script_cve_id("CVE-2023-6116");

  script_name(english:"Hanwha Vision NVR Remote Code Execution (CVE-2023-6116)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An attacker could inject arbitrary attack code by manipulating http url parameters. 
However, in order to succeed in the attack, the base address of the stack 
memory must be obtained. The default address depends on firmware version, 
configuration option information, and the attack is unlikely to succeed. 
Nevertheless, we believe that this vulnerability has a significant impact 
on the product because it allows arbitrary attacks without authentication.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://www.hanwhavision.com/wp-content/uploads/2024/04/NVR-DVR-Vulnerability-Report-CVE-2023-6116.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df549c8f");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss3_base_vector("CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-6116");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/06/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-2010_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-2011_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-3010_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-2010a_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-2011a_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-3010a_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:arn-3250_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-810s_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-410s_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:qrn-810_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:qrn-410_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:hrx-1621_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:hrx-1620_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:hrx-821_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:hrx-820_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:hrx-421_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:hrx-420_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:xrn-420s_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hanwhavision:qrn-430s_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/HanwhaVision");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/HanwhaVision');

var asset = tenable_ot::assets::get(vendor:'HanwhaVision');

var vuln_cpes = {
    "cpe:/o:hanwhavision:xrn-2010_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:xrn-2011_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:xrn-3010_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:xrn-2010a_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:xrn-2011a_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:xrn-3010a_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:arn-3250_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:xrn-810s_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:xrn-410s_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:qrn-810_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:qrn-410_firmware" :
        {"versionEndIncluding" : "2.46", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:hrx-1621_firmware" :
        {"versionEndIncluding" : "3.05.62", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:hrx-1620_firmware" :
        {"versionEndIncluding" : "3.05.62", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:hrx-821_firmware" :
        {"versionEndIncluding" : "3.05.62", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:hrx-820_firmware" :
        {"versionEndIncluding" : "3.05.62", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:hrx-421_firmware" :
        {"versionEndIncluding" : "3.05.62", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:hrx-420_firmware" :
        {"versionEndIncluding" : "3.05.62", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:xrn-420s_firmware" :
        {"versionEndIncluding" : "5.01.52", "family" : "HanwhaVideoRecorders"},
    "cpe:/o:hanwhavision:qrn-430s_firmware" :
        {"versionEndIncluding" : "5.01.52", "family" : "HanwhaVideoRecorders"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_NOTE);

VendorProductVersionCPE
hanwhavisionqrn-430s_firmwarecpe:/o:hanwhavision:qrn-430s_firmware
hanwhavisionxrn-410s_firmwarecpe:/o:hanwhavision:xrn-410s_firmware
hanwhavisionxrn-420s_firmwarecpe:/o:hanwhavision:xrn-420s_firmware
hanwhavisionqrn-410_firmwarecpe:/o:hanwhavision:qrn-410_firmware
hanwhavisionhrx-421_firmwarecpe:/o:hanwhavision:hrx-421_firmware
hanwhavisionxrn-2011a_firmwarecpe:/o:hanwhavision:xrn-2011a_firmware
hanwhavisionhrx-1621_firmwarecpe:/o:hanwhavision:hrx-1621_firmware
hanwhavisionxrn-2011_firmwarecpe:/o:hanwhavision:xrn-2011_firmware
hanwhavisionxrn-2010_firmwarecpe:/o:hanwhavision:xrn-2010_firmware
hanwhavisionhrx-1620_firmwarecpe:/o:hanwhavision:hrx-1620_firmware

Vendor	Product	CPE
hanwhavision	qrn-430s_firmware	cpe:/o:hanwhavision:qrn-430s_firmware
hanwhavision	xrn-410s_firmware	cpe:/o:hanwhavision:xrn-410s_firmware
hanwhavision	xrn-420s_firmware	cpe:/o:hanwhavision:xrn-420s_firmware
hanwhavision	qrn-410_firmware	cpe:/o:hanwhavision:qrn-410_firmware
hanwhavision	hrx-421_firmware	cpe:/o:hanwhavision:hrx-421_firmware
hanwhavision	xrn-2011a_firmware	cpe:/o:hanwhavision:xrn-2011a_firmware
hanwhavision	hrx-1621_firmware	cpe:/o:hanwhavision:hrx-1621_firmware
hanwhavision	xrn-2011_firmware	cpe:/o:hanwhavision:xrn-2011_firmware
hanwhavision	xrn-2010_firmware	cpe:/o:hanwhavision:xrn-2010_firmware
hanwhavision	hrx-1620_firmware	cpe:/o:hanwhavision:hrx-1620_firmware

Rows per page:

1-10 of 191

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6116

www.nessus.org/u?df549c8f

8.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for TENABLE_OT_HANWHAVISION_CVE-2023-6116.NASL