NUUO NVR Web Interface RCE

Critical Nessus Plugin ID 103928

Synopsis

The remote network video recorder doesn't properly sanitize some user input.

Description

The remote network video recorder doesn't properly sanitize some user input which can allow a remote unauthenticated user to execute commands as root.

Solution

Apply the latest firmware update. It is unclear if NUUO has addressed this vulnerability in all products.

See Also

http://www.nessus.org/u?bc69e1ca

Plugin Details

Severity: Critical

ID: 103928

File Name: nuuo_os_command_execution.nasl

Version: $Revision: 1.2 $

Type: remote

Family: CGI abuses

Published: 2017/10/18

Modified: 2017/10/19

Dependencies: 103929

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 9.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:U/RC:ND

CVSSv3

Base Score: 9.8

Temporal Score: 9.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:X

Vulnerability Information

Required KB Items: installed_sw/NUUO NVR

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/08/15

Vulnerability Publication Date: 2017/09/12

Reference Information

OSVDB: 166672