lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <01fd01d218ba$78ccd840$6a6688c0$@gmail.com>
Date: Tue, 27 Sep 2016 05:27:10 -0700
From: "Travis Lee" <eelsivart@...il.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] Vulnerability Note VU#667480 - AVer EH6108H+ hybrid DVR
	contains multiple vulnerabilities

Vulnerability Note VU#667480

AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities

https://www.kb.cert.org/vuls/id/667480

 

 

Overview:

AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly
earlier, reportedly contains multiple vulnerabilities, including
undocumented privileged accounts, authentication bypass, and information
exposure.

 

Description:

AVer Information EH6108H+ hybrid DVR is an IP security camera management
system and streaming video recorder. Version X9.03.24.00.07l and possibly
earlier are reported to contain multiple vulnerabilities.

 

CWE-798: Use of Hard-coded Credentials - CVE-2016-6535

 

AVer Information EH6108H+ reportedly contains two undocumented, hard-coded
account credentials. Both accounts have root privileges and may be used to
gain access via an undocumented telnet service that cannot be disabled
through the web user interface and runs by default.

 

CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536

 

By guessing the handle parameter of the /setup page of the web interface, an
unauthenticated attacker reportedly may be able to access restricted pages
and alter DVR configurations or change user passwords.

 

CWE-200: Information Exposure - CVE-2016-6537

 

User credentials are reported to be stored and transmitted in an insecure
manner. In the configuration page of the web interface, passwords are stored
in base64-encoded strings. In client requests, credentials are listed in
plain text in the cookie header.

 

For more information, refer to the researcher's disclosure.
(https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-
and-more)

 

Impact:

A remote, unauthenticated attacker may be able to gain access with root
privileges to completely compromise vulnerable devices.

 

Solution:

The CERT/CC is currently unaware of a practical solution to this problem and
recommends the following workaround.

Restrict access

 

As a general good security practice, only allow connections from trusted
hosts and networks.

 

References:

http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/

https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a
nd-more

https://cwe.mitre.org/data/definitions/798.html

https://cwe.mitre.org/data/definitions/302.html

https://cwe.mitre.org/data/definitions/200.html


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ