Multiple vulnerabilities in Merit LILIN DVR devices
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Use of hard-coded credentials
EUVDB-ID: #VU26285
Risk: Critical
CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Hard-coded accounts:
root/icatch99
report/8Jg0SR8K50Note, this vulnerability is being actively exploited in the wild since August 2019.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDHD516A: 2.0b1_20180828
DHD508A: 2.0b1_20180828
DHD504A: 2.0b1_20190417 - 2.0b1_20191202
DHD316A: 2.0b1_20171128 - 2.0b1_20180828
DHD308A: 2.0b1_20180828
DHD304A: 2.0b1_20180828
DHD204: 1.06_20151201
DHD204A: 2.0b60_20160223 - 2.0b60_20161123
DHD208: 2.0b60_20160504
DHD208A: 2.0b60_20160223 - 2.0b60_20161123
DHD216: 2.0b60_20151111
DHD216A: 2.0b60_20160223 - 2.0b60_20161123
External linkshttp://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
http://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) OS Command Injection
EUVDB-ID: #VU26286
Risk: High
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system.
The vulnerability exists due to absent filtration of user-supplied data to /z/zbin/dvr_box URL when processing XML files. The affected parameters are NTPUpdate, FTP, and NTP. A remote authenticated user can inject and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).
Install updates from vendor's website.
Vulnerable software versionsDHD516A: 2.0b1_20180828
DHD508A: 2.0b1_20180828
DHD504A: 2.0b1_20190417 - 2.0b1_20191202
DHD316A: 2.0b1_20171128 - 2.0b1_20180828
DHD308A: 2.0b1_20180828
DHD304A: 2.0b1_20180828
DHD204: 1.06_20151201
DHD204A: 2.0b60_20160223 - 2.0b60_20161123
DHD208: 2.0b60_20160504
DHD208A: 2.0b60_20160223 - 2.0b60_20161123
DHD216: 2.0b60_20151111
DHD216A: 2.0b60_20160223 - 2.0b60_20161123
External linkshttp://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
http://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
3) Path traversal
EUVDB-ID: #VU26287
Risk: High
CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:H/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read arbitrary files on the system.
The vulnerability exists due to absent filtration of user-supplied data passed to /z/zbin/net_html.cgi URL. A remote authenticated user can view contents of arbitrary files on the system.
Mitigation
Install updates from vendor's website.
Vulnerable software versionsDHD516A: 2.0b1_20180828
DHD508A: 2.0b1_20180828
DHD504A: 2.0b1_20190417 - 2.0b1_20191202
DHD316A: 2.0b1_20171128 - 2.0b1_20180828
DHD308A: 2.0b1_20180828
DHD304A: 2.0b1_20180828
DHD204: 1.06_20151201
DHD204A: 2.0b60_20160223 - 2.0b60_20161123
DHD208: 2.0b60_20160504
DHD208A: 2.0b60_20160223 - 2.0b60_20161123
DHD216: 2.0b60_20151111
DHD216A: 2.0b60_20160223 - 2.0b60_20161123
External linkshttp://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
http://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
