SB2020032101 - Multiple vulnerabilities in Merit LILIN DVR devices
Published: March 21, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Use of hard-coded credentials (CVE-ID: N/A)
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Hard-coded accounts:
root/icatch99
report/8Jg0SR8K50Note, this vulnerability is being actively exploited in the wild since August 2019.
2) OS Command Injection (CVE-ID: N/A)
The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system.
The vulnerability exists due to absent filtration of user-supplied data to /z/zbin/dvr_box URL when processing XML files. The affected parameters are NTPUpdate, FTP, and NTP. A remote authenticated user can inject and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).
3) Path traversal (CVE-ID: N/A)
The vulnerability allows a remote authenticated user to read arbitrary files on the system.
The vulnerability exists due to absent filtration of user-supplied data passed to /z/zbin/net_html.cgi URL. A remote authenticated user can view contents of arbitrary files on the system.
Remediation
Install update from vendor's website.