NUUO NVR Web Interface RCE

Critical Nessus Plugin ID 103928

Synopsis

The remote network video recorder doesn't properly sanitize some user input.

Description

The remote network video recorder doesn't properly sanitize some user input which can allow a remote unauthenticated user to execute commands as root.

Solution

Apply the latest firmware update. It is unclear if NUUO has addressed this vulnerability in all products.

See Also

http://www.nessus.org/u?bc69e1ca

Plugin Details

Severity: Critical

ID: 103928

File Name: nuuo_os_command_execution.nasl

Version: 1.4

Type: remote

Family: CGI abuses

Published: 2017/10/18

Updated: 2018/06/14

Dependencies: 103929

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 9.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:U/RC:ND

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:X

Vulnerability Information

Required KB Items: installed_sw/NUUO NVR

Patch Publication Date: 2017/08/15

Vulnerability Publication Date: 2017/09/12