CVE-2018-9995

2024-10-22

5.226.76.115

poland 

TBK Vision 

DVR4104 

GET /device.rsp?opt=user&cmd=list HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Host: ████████████
X-Forwarded-For: ████████████
Accept-Encoding: gzip, deflate
Accept: */*
██████████████████
Connection: close

CVE-2018-9995 is a critical authentication bypass vulnerability that affects TBK DVR4104 and DVR4216 devices, as well as their rebranded versions sold under names like Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login. The vulnerability arises from an error in handling a maliciously crafted HTTP cookie. When an attacker sends such a cookie, the device responds by sending back the admin credentials in clear text. This allows the attacker to gain administrative access to the device, including access to live camera feeds.
The vulnerability was discovered by security researcher Fernandez Ezequiel and has been known for over five years. Despite its age, it remains unpatched, and there are publicly available proof-of-concept (PoC) exploits that make it easy for attackers to exploit this flaw. FortiGuard Labs reported over 50,000 unique exploitation attempts in April 2023 alone, highlighting the ongoing risk.
The critical nature of this vulnerability is underscored by its CVSS score of 9.8. It requires no authentication or user interaction to exploit, making it highly accessible to remote attackers. The widespread use of the affected DVR devices in various sectors, including banking, retail, and government, further amplifies the potential impact.
Given the lack of vendor-provided patches, organizations using these devices are at significant risk. The vulnerability allows attackers to bypass authentication mechanisms, gain administrative privileges, and potentially access sensitive video feeds, posing severe security and privacy risks.

Review Installed Devices: Identify and review all installed DVR devices to determine if they are affected by this vulnerability.
Limit Access: Restrict access to the DVR's management interface to specific IP addresses to minimize exposure.
Network Segmentation: Place DVR devices on a separate network segment to limit potential lateral movement by attackers.
Monitor Traffic: Implement intrusion detection and prevention systems to monitor for unusual traffic patterns and exploitation attempts.
Vendor Communication: Contact the vendor for any available patches or firmware updates and apply them immediately.
Disable Unused Services: Disable any unnecessary services on the DVR devices to reduce the attack surface.
Regular Audits: Conduct regular security audits and vulnerability assessments to identify and mitigate potential risks.
User Education: Educate users and administrators about the risks associated with this vulnerability and the importance of following security best practices.