14 DAY TRIAL // A couple of vulnerabilities have been discovered in the HVG video gateway product series from SerVision, allowing access to the web interface without the need to authenticate.
The base severity rating for the two bugs is 10, the highest possible, since exploiting them does not require a skillful attacker, who can act from afar, and the impact can lead to taking control of the device.
Flaw has double security impact
HVG from SerVision is a video recording unit designed for small businesses and residential sites. The footage it captures can be viewed from dedicated client applications or on a close-circuit monitor connected to the unit. The products also include support for remote centralized monitoring of an area.
One of the glitches found, now tracked as CVE-2015-0929, has a double security impact as leveraging it allows an unauthenticated user to bypass the log-in process and take control of the unit, while an authenticate user can elevate privileges.
This could be achieved by accessing the “time.htm” resource, which issues a cooking awarding the attacker administrative rights in the web console of the device.
According to Carnegie Mellon University CERT (Computer Emergency Response Team) division, CVE-2015-0929 received a fix for the authentication bypass risk in build 2.2.26a78 and later of the firmware. However, the privilege elevation danger is yet to be mitigated, as the current firmware release, 2.2.26a100, does not address it.
Workaround offered if update process cannot be carried out
A second vulnerability, identified as CVE-2015-0930, is of a more thistly sort as it refers to a password that is hard-coded in the device, which enables any user to log into the web interface with administrative rights.
The advisory from CERT says that the issue has been solved in the latest revision of the firmware.
Updating the product is the general recommendation, but if the procedure cannot be completed, users are advised to restrict connections to the unit to trusted networks and hosts.
“Appropriate firewall rules which block incoming connections from untrusted networks would likely prevent an external attacker from accessing the device,” reads the advisory, adding the warning that trusted, authenticated users can still access the “time.htm” file and increase privileges.
SerVision’s products are widely employed to ensure monitoring of protected objectives, as well as in transportation sector. One of the benefits touted by the company is the advanced video compression technology that permits improved video streaming quality over cellular and low bandwidth networks.
