Vocran NVR Remote Command Execution
Critical Nessus Plugin ID 104124
SynopsisThe Vocran network video recorder is affected by a remote command execution vulnerability.
DescriptionThe remote Vocran network video recorder is affected by a remote command execution vulnerability due to improper sanitization of user-supplied input passed via /board.cgi. An unauthenticated remote attacker can exploit this, via a specially crafted URL, to execute arbitrary commands on the device.
This vulnerability has been used by the IoT Reaper botnet.
Note that Nessus has detected this vulnerability by reading the contents of the file /proc/cpuinfo.
SolutionAt time of publication, Vacron had not yet released a patch. Users should take precautions to ensure affected devices are not exposed to the internet and that the devices are properly isolated on the local network.