Vulnerability identifier: #VU26286
Vulnerability risk: High
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-78
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
DHD516A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD508A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD504A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD316A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD308A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD304A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD204
Hardware solutions /
Office equipment, IP-phones, print servers
DHD204A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD208
Hardware solutions /
Office equipment, IP-phones, print servers
DHD208A
Hardware solutions /
Office equipment, IP-phones, print servers
DHD216
Hardware solutions /
Office equipment, IP-phones, print servers
DHD216A
Hardware solutions /
Office equipment, IP-phones, print servers
Vendor: Merit LILIN Ent. Co., Ltd.
Description
The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system.
The vulnerability exists due to absent filtration of user-supplied data to /z/zbin/dvr_box
URL when processing XML files. The affected parameters are NTPUpdate, FTP, and NTP. A remote authenticated user can inject and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability can be exploited by non-authenticated attacker using hard-coded credentials issue (described in vulnerability #1).
Mitigation
Install updates from vendor's website.
Vulnerable software versions
DHD516A: 2.0b1_20180828
DHD508A: 2.0b1_20180828
DHD504A: 2.0b1_20190417 - 2.0b1_20191202
DHD316A: 2.0b1_20171128 - 2.0b1_20180828
DHD308A: 2.0b1_20180828
DHD304A: 2.0b1_20180828
DHD204: 1.06_20151201
DHD204A: 2.0b60_20160223 - 2.0b60_20161123
DHD208: 2.0b60_20160504
DHD208A: 2.0b60_20160223 - 2.0b60_20161123
DHD216: 2.0b60_20151111
DHD216A: 2.0b60_20160223 - 2.0b60_20161123
External links
http://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
http://www.meritlilin.com/tw/support/file/type/Firmware
http://www.meritlilin.com/assets/uploads/support/file/M00158-TW.pdf
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.