#VU16212 OS command injection in NUUO NVRmini 2 - CVE-2018-15716

Cybersecurity Help s.r.o.

Published: 2018-11-30 | Updated: 2021-06-17

Vulnerability identifier: #VU16212

Vulnerability risk: High

CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Amber]

CVE-ID: CVE-2018-15716

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
NUUO NVRmini 2
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: NUUO Inc.

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary shell commands on the target system.

The vulnerability exists in upgrade_handle.php due to insufficient validation of user-supplied input. A remote authenticated attacker can send specially crafted requests containing shell metacharacters in the uploaddir parameter for a writeuploaddir command to bypass the uploaddir filter and execute OS commands with root privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: the vulnerability exists due to insufficient patch for CVE-2018-14933.

Mitigation
Update to version 3.10.0 or later.

Vulnerable software versions

NUUO NVRmini 2: 3.0.0.63 - 3.9.1

External links
https://www.tenable.com/security/research/tra-2018-41
https://github.com/tenable/poc/tree/master/nuuo/nvrmini2/cve_2018_15716

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Command execution in NUUO NVRmini 2