Show vulnerabilities with patch / with exploit

Multiple vulnerabilities in Merit LILIN DVR devices



Published: 2020-03-21

Security Advisory

1) Use of hard-coded credentials

Severity: Critical

CVSSv3: 9.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Hard-coded accounts:

root/icatch99
report/8Jg0SR8K50

Note, this vulnerability is being actively exploited in the wild since August 2019.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DHD516A: 2.0b1_20180828

DHD508A: 2.0b1_20180828

DHD504A: 2.0b1_20190417, 2.0b1_20191202

DHD316A: 2.0b1_20171128, 2.0b1_20180828

DHD308A: 2.0b1_20180828

DHD304A: 2.0b1_20180828

DHD204: 1.06_20151201

DHD204A: 2.0b60_20160223, 2.0b60_20161123

DHD208: 2.0b60_20160504

DHD208A: 2.0b60_20160223, 2.0b60_20161123

DHD216: 2.0b60_20151111

DHD216A: 2.0b60_20160223, 2.0b60_20161123

CPE External links

https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) OS Command Injection

Severity: High

CVSSv3: 8.4 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system.

The vulnerability exists due to absent filtration of user-supplied data to /z/zbin/dvr_box URL when processing XML files. The affected parameters are NTPUpdate, FTP, and NTP.  A remote authenticated user can inject and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DHD516A: 2.0b1_20180828

DHD508A: 2.0b1_20180828

DHD504A: 2.0b1_20190417, 2.0b1_20191202

DHD316A: 2.0b1_20171128, 2.0b1_20180828

DHD308A: 2.0b1_20180828

DHD304A: 2.0b1_20180828

DHD204: 1.06_20151201

DHD204A: 2.0b60_20160223, 2.0b60_20161123

DHD208: 2.0b60_20160504

DHD208A: 2.0b60_20160223, 2.0b60_20161123

DHD216: 2.0b60_20151111

DHD216A: 2.0b60_20160223, 2.0b60_20161123

CPE External links

https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

3) Path traversal

Severity: High

CVSSv3: 7.4 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:H/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote authenticated user to read arbitrary files on the system.

The vulnerability exists due to absent filtration of user-supplied data passed to /z/zbin/net_html.cgi URL. A remote authenticated user can view contents of arbitrary files on the system.

Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

DHD516A: 2.0b1_20180828

DHD508A: 2.0b1_20180828

DHD504A: 2.0b1_20190417, 2.0b1_20191202

DHD316A: 2.0b1_20171128, 2.0b1_20180828

DHD308A: 2.0b1_20180828

DHD304A: 2.0b1_20180828

DHD204: 1.06_20151201

DHD204A: 2.0b60_20160223, 2.0b60_20161123

DHD208: 2.0b60_20160504

DHD208A: 2.0b60_20160223, 2.0b60_20161123

DHD216: 2.0b60_20151111

DHD216A: 2.0b60_20160223, 2.0b60_20161123

CPE External links

https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
https://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.