An RCE in Annke video surveillance product allows hacking the device

Researchers from Nozomi Networks discovered a critical vulnerability that can be exploited to hack a video surveillance product made by Annke.

Researchers at industrial and IoT cybersecurity firm Nozomi Networks have discovered a critical flaw affecting a video surveillance product made by Annke, a popular manufacturer of surveillance systems and solutions. The vulnerability, tracked as CVE-2021-32941 can be exploited by an attacker to hack a video surveillance product made by Annke, a provider of home and business security solutions.

Annke produces a variety of IP cameras, NVRs, and accessories, but researchers focused their analysis on the N48PBB, NVR device that allows customers to view and record footage of up to eight Power over Ethernet (PoE) IP security cameras.

The N48PBB NVR exposes a web application that allows interaction with the device and the connected cameras. The device allows customers to watch live video streams, manage cameras, and store video captured by cameras.

“Nozomi Networks Labs has discovered a critical Remote Code Execution (RCE) vulnerability (CVE-2021-32941) related to the web service of the Annke N48PBB network video recorder (NVR). This information is being shared as part of a coordinated disclosure with ICS-CERT, which published advisory ICSA-21-238-02, and with the vendor, Annke, which has released firmware that fixes the issue.” reads the security advisory published by Nozomi Networks Labs. “Exploitation of the vulnerability might result in the loss of confidentiality, integrity, and availability of the device itself, as well as the data stored inside it. Outcomes could potentially include a loss of employee privacy, a loss of confidentiality regarding valuable assets, or a shut down of the NVR at will.”

The flaw is a stack-based buffer overflow that affects the web service of the Annke N48PBB network video recorder (NVR), an attacker can trigger it to remotely execute arbitrary code and access sensitive information. The issue can allow an attacker to access recorded videos, delete footage, change configurations, and shut down certain cameras.

Nozomi researchers noticed that the web interface of the device allows enablement of a SSH service on the device, which provides access to a restricted number of commands. The experts performed reverse engineering of the firmware to fully unrestricted SSH access. Experts first extracted the firmware of a device by physically attaching to the device’s onboard memory, then modified it to disable all SSH restrictions and add several debugging tools. At the end of the process, the firmware was rewritten to the device’s memory.

Experts pointed out that the exploitation of the vulnerability requires authentication, but an attacker could use cross-site request forgery (CSRF) attack. The attacker could trick a logged-in user, operator or administrator, to access a specially crafted web page while being logged in to the NVR’s admin interface.

“Furthermore, as no anti-CSRF (Cross-Site Request Forgery) mitigations were found in the functionality, the vulnerability could be exploited indirectly by external attackers in “drive-by download” attacks. It is sufficient for an administrator, operator, or user to browse a specifically crafted webpage, while simultaneously logged in to the web interface of the device, to potentially cause the execution of external malicious code on the device itself.” continues the advisory.

The CVE-2021-32941 received a CVSS v3 base score of 9.4.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory on this vulnerability.

“The affected products are vulnerable to a stack-based buffer overflow, which allows an unauthorized remote attacker to execute arbitrary code with the same privileges as the server user (root).” reads the security advisory published by CISA.

Nozomi reported the vulnerability to Annke on July 11 and the vendor addressed it with a firmware update on July 22.

Nozomi Networks has released specific updates to its Threat Intelligence service to detect and block attacks attempting to exploit the vulnerability.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ANNKE)

[adrotate banner=”5″]

[adrotate banner=”13″]