Multiple vulnerabilities in Merit LILIN DVR devices



Risk Critical
Patch available YES
Number of vulnerabilities 3
CVE-ID N/A
CWE-ID CWE-798
CWE-78
CWE-22
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerability #2 is being exploited in the wild.
Vulnerability #3 is being exploited in the wild.
Vulnerable software
 DHD516A
Hardware solutions / Office equipment, IP-phones, print servers

DHD508A
Hardware solutions / Office equipment, IP-phones, print servers

DHD504A
Hardware solutions / Office equipment, IP-phones, print servers

DHD316A
Hardware solutions / Office equipment, IP-phones, print servers

DHD308A
Hardware solutions / Office equipment, IP-phones, print servers

DHD304A
Hardware solutions / Office equipment, IP-phones, print servers

DHD204
Hardware solutions / Office equipment, IP-phones, print servers

DHD204A
Hardware solutions / Office equipment, IP-phones, print servers

DHD208
Hardware solutions / Office equipment, IP-phones, print servers

DHD208A
Hardware solutions / Office equipment, IP-phones, print servers

DHD216
Hardware solutions / Office equipment, IP-phones, print servers

DHD216A
Hardware solutions / Office equipment, IP-phones, print servers

Vendor Merit LILIN Ent. Co., Ltd.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Use of hard-coded credentials

EUVDB-ID: #VU26285

Risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: N/A

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Hard-coded accounts:

root/icatch99
report/8Jg0SR8K50

Note, this vulnerability is being actively exploited in the wild since August 2019.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DHD516A: 2.0b1_20180828

DHD508A: 2.0b1_20180828

DHD504A: 2.0b1_20190417 - 2.0b1_20191202

DHD316A: 2.0b1_20171128 - 2.0b1_20180828

DHD308A: 2.0b1_20180828

DHD304A: 2.0b1_20180828

DHD204: 1.06_20151201

DHD204A: 2.0b60_20160223 - 2.0b60_20161123

DHD208: 2.0b60_20160504

DHD208A: 2.0b60_20160223 - 2.0b60_20161123

DHD216: 2.0b60_20151111

DHD216A: 2.0b60_20160223 - 2.0b60_20161123

CPE2.3 External links

https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
https://www.meritlilin.com/tw/support/file/type/Firmware
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) OS Command Injection

EUVDB-ID: #VU26286

Risk: High

CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system.

The vulnerability exists due to absent filtration of user-supplied data to /z/zbin/dvr_box URL when processing XML files. The affected parameters are NTPUpdate, FTP, and NTP.  A remote authenticated user can inject and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DHD516A: 2.0b1_20180828

DHD508A: 2.0b1_20180828

DHD504A: 2.0b1_20190417 - 2.0b1_20191202

DHD316A: 2.0b1_20171128 - 2.0b1_20180828

DHD308A: 2.0b1_20180828

DHD304A: 2.0b1_20180828

DHD204: 1.06_20151201

DHD204A: 2.0b60_20160223 - 2.0b60_20161123

DHD208: 2.0b60_20160504

DHD208A: 2.0b60_20160223 - 2.0b60_20161123

DHD216: 2.0b60_20151111

DHD216A: 2.0b60_20160223 - 2.0b60_20161123

CPE2.3 External links

https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
https://www.meritlilin.com/tw/support/file/type/Firmware
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

3) Path traversal

EUVDB-ID: #VU26287

Risk: High

CVSSv4.0: 7.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to read arbitrary files on the system.

The vulnerability exists due to absent filtration of user-supplied data passed to /z/zbin/net_html.cgi URL. A remote authenticated user can view contents of arbitrary files on the system.

Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DHD516A: 2.0b1_20180828

DHD508A: 2.0b1_20180828

DHD504A: 2.0b1_20190417 - 2.0b1_20191202

DHD316A: 2.0b1_20171128 - 2.0b1_20180828

DHD308A: 2.0b1_20180828

DHD304A: 2.0b1_20180828

DHD204: 1.06_20151201

DHD204A: 2.0b60_20160223 - 2.0b60_20161123

DHD208: 2.0b60_20160504

DHD208A: 2.0b60_20160223 - 2.0b60_20161123

DHD216: 2.0b60_20151111

DHD216A: 2.0b60_20160223 - 2.0b60_20161123

CPE2.3 External links

https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
https://www.meritlilin.com/tw/support/file/type/Firmware
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###