Last month researchers from cybersecurity firm Digital Defense disclosed they had discovered a vulnerability in Nuuo NVRmini 2 Network Video Recorder firmware, basic software which is used in hundreds of thousands of IP surveillance cameras across the world.
The Linux-based software is used in a wide array of the company’s IP cameras, supports NAS storage and is capable of monitoring up to 64 live video channels. The bug centers around an unauthenticated remote buffer overflow security flaw which an attacker can exploit through executing arbitrary code on a system with root privileges. In addition to allowing a potential attacker to make use of the bug to access and modify video feeds and recordings from their cameras, the exploit also permits changing the configuration and settings of cameras.
This is achieved through “Overflowing of the stack variable, which is intended to hold the request data, results in the overwriting of stored return addresses, and with a properly crafted payload, can be leveraged to achieve arbitrary code execution,” Digital Defense said.
NVRmini 2 firmware prior to and including version 3.9.1 are vulnerable to this exploit, however Nuuo has responded to the discovery and has released a patch to resolve the issue.
So called zero-day exploits are some of the most damaging security flaws you can have in your security solution at large. These exploits or bugs are found in software from the day of its release onwards unless they are detected through chance or pro-active research into the software as described in the situation above. These exploits will be known only to potential attackers and the online communities they share this intel with up to that point, and a significant degree of damage and compromise can occur during that time period, up to and including the possible installation of backdoors unknown to the creators of the software and modification of source code if the exploit allows for that.
The zero in “zero-day” actually refers to the time at which the vendor of the software discovers the vulnerability. Up to that day the vulnerability would be referred to as a zero-day vulnerability, but after 30 days, a 30-day vulnerability and so on. It is during this time that the vendor will typically be working on a patch or workaround to mitigate the exploit, but depending on the specifics of the bug, potential attackers with knowledge of the bug may also be working on “counter patches” of their own.
A zero-day attack should always be considered a serious threat, and even after a patch has been developed, there is no guarantee that every user or even a majority will have installed the patch. Those who write malware have several different attack vectors available to them to exploit zero-day vulnerabilities, from executing malicious code exploiting web browsers to email attachments containing malicious code via SMTP.
In the context of the security industry, these types of exploits can have potentially devastating consequences. As we trust in the convenience and technical superiority of IP cameras and access control systems, it is critical to use reputable vendors and an integrator with the response time to manage and respond to crisis events.
Security Technology of South Texas is locally owned and operated out of San Antonio, Texas. We provide integration of security products and infrastructure for commercial scale projects in the South Texas area.
Call us today to set up a consultation, 24/7 210-446-4863 or email firstname.lastname@example.org on our website