2 min read

Earlier this week, Tenable Inc announced that its research team had discovered a zero-day vulnerability dubbed as ‘Peekaboo’ in NUUO software. NUUO licenses its software to at least 100 other brands including Sony, CISCO, Sony, Cisco Systems, D-Link, Panasonic and many more. The vulnerable device is NVRMini2, which is a network-attached storage device and network video recorder. The vulnerability would allow cybercriminals to view, disable or otherwise manipulate video footage using administrator privileges.

To give you a small gist of the situation, hackers could replace live feed of video surveillance with a static image of the area. This could assist criminals to enter someone’s premises- undetected by the CCTV! Cameras with this bug could be manipulated and taken offline, worldwide. And this is not the first time that NUUO devices have been affected by a vulnerability. Just last year, there were reports of the NUUO NVR devices being specifically targeted by the Reaper IoT Botnet.

“The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe”
– Renaud Deraison, co-founder and chief technology officer, Tenable

Vulnerabilities discovered by Tenable

The vulnerabilities –CVE-2018-1149, CVE-2018-1150, are tied to NUUO NVRMini2 webserver software.

#1 CVE-2018-1149: Allows an attacker to sniff out affected gear

This vulnerability assists attackers to sniff out affected gear using Shodan. The attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI). This interface acts as a gateway between a remote user and the web server. The attack delivers a really large cookie file to the CGI handle. The CGI, therefore, does not validate the user’s input properly, allowing them to access the web server portion of the camera.

#2 CVE-2018-1150: Takes advantage of Backdoor functionality

This bug takes advantage of the backdoor functionality in the NUUO NVRMini2 web server. When the back door PHP code is enabled, it allows an unauthenticated attacker to change the password for any registered user except administrator of the system.

‘Peekaboo’ affects firmware versions older than 3.9.0, Tenable states that NUUO was notified of this vulnerability in June. NUUO was given 105 days to issue a patch before publicly disclosing the bugs. Tenable’s GitHub page provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices.

NUUO is planning to issue a security patch. Meanwhile, users are advised to restrict access to their NUUO NVRMini2 deployments. Owners of devices connected directly to the internet are especially at risk. Affected end users are urged to disconnect these devices from the internet until a patch is released.
For more information on Peekaboo, head over to the Tenable Research Advisory blog post.

Read Next

Alarming ways governments are using surveillance tech to watch you

Windows zero-day vulnerability exposed on ALPC interface by a vulnerability researcher with ‘no formal degrees’

IoT botnets Mirai and Gafgyt target vulnerabilities in Apache Struts and SonicWall