Vulnerability identifier: #VU26285
Vulnerability risk: Critical
CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-798
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
DHD516A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD508A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD504A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD316A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD308A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD304A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD204
Hardware solutions /
Office equipment, IP-phones, print servers
DHD204A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD208
Hardware solutions /
Office equipment, IP-phones, print servers
DHD208A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD216
Hardware solutions /
Office equipment, IP-phones, print servers
DHD216A
Hardware solutions /
Office equipment, IP-phones, print servers
Vendor: Merit LILIN Ent. Co., Ltd.
Description
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Hard-coded accounts:
root/icatch99
report/8Jg0SR8K50
Note, this vulnerability is being actively exploited in the wild since August 2019.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
DHD516A: 2.0b1_20180828
DHD508A: 2.0b1_20180828
DHD504A: 2.0b1_20190417 - 2.0b1_20191202
DHD316A: 2.0b1_20171128 - 2.0b1_20180828
DHD308A: 2.0b1_20180828
DHD304A: 2.0b1_20180828
DHD204: 1.06_20151201
DHD204A: 2.0b60_20160223 - 2.0b60_20161123
DHD208: 2.0b60_20160504
DHD208A: 2.0b60_20160223 - 2.0b60_20161123
DHD216: 2.0b60_20151111
DHD216A: 2.0b60_20160223 - 2.0b60_20161123
External links
http://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
http://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.