#VU26286 OS Command Injection in Merit LILIN Ent. Co., Ltd. Hardware solutions


Published: 2020-03-21

Vulnerability identifier: #VU26286

Vulnerability risk: High

CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
DHD516A
Hardware solutions / Office equipment, IP-phones, print servers
DHD508A
Hardware solutions / Office equipment, IP-phones, print servers
DHD504A
Hardware solutions / Office equipment, IP-phones, print servers
DHD316A
Hardware solutions / Office equipment, IP-phones, print servers
DHD308A
Hardware solutions / Office equipment, IP-phones, print servers
DHD304A
Hardware solutions / Office equipment, IP-phones, print servers
DHD204
Hardware solutions / Office equipment, IP-phones, print servers
DHD204A
Hardware solutions / Office equipment, IP-phones, print servers
DHD208
Hardware solutions / Office equipment, IP-phones, print servers
DHD208A
Hardware solutions / Office equipment, IP-phones, print servers
DHD216
Hardware solutions / Office equipment, IP-phones, print servers
DHD216A
Hardware solutions / Office equipment, IP-phones, print servers

Vendor: Merit LILIN Ent. Co., Ltd.

Description

The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system.

The vulnerability exists due to absent filtration of user-supplied data to /z/zbin/dvr_box URL when processing XML files. The affected parameters are NTPUpdate, FTP, and NTP.  A remote authenticated user can inject and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

DHD516A: 2.0b1_20180828

DHD508A: 2.0b1_20180828

DHD504A: 2.0b1_20190417 - 2.0b1_20191202

DHD316A: 2.0b1_20171128 - 2.0b1_20180828

DHD308A: 2.0b1_20180828

DHD304A: 2.0b1_20180828

DHD204: 1.06_20151201

DHD204A: 2.0b60_20160223 - 2.0b60_20161123

DHD208: 2.0b60_20160504

DHD208A: 2.0b60_20160223 - 2.0b60_20161123

DHD216: 2.0b60_20151111

DHD216A: 2.0b60_20160223 - 2.0b60_20161123

External links
http://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
http://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Merit LILIN DVR devices