14 DAY TRIAL // Tenable Research disclosed a pair of vulnerabilities in NUUO's Video Recorder Software which allow attackers to execute code remotely in NUUO-based IoT video surveillance systems, giving access to video feeds and recordings.
The remote code execution vulnerability has been named Peekaboo, hinting at some of the possible uses hackers could give it after compromising NUUO video surveillance IoT networks.
The first vulnerability of the pair found by Tenable Research in NUUO’s Network Video Recorder software is a critical unauthenticated stack buffer overflow, while the second one consists of a backdoor in leftover debug code.
Both vulnerabilities were evaluated and tested in the NVRMini2, NUUO's lightweight and portable NVR device with NAS functionality, and they are considered highly critical given that they can provide attackers with full system access.
The attack vector crooks can use to compromise NUUO's NVRMini2 NAS, and NVR is the web service which can be exploited remotely using the stack buffer overflow bug unveiled by Tenable Research.
NUUO's video recording software is bundled with thousands of cameras from more than a 100 third-party vendors
Once the computer criminals have full access to the NVRMini2, they can view any camera feeds or video recordings accessible from the compromised device, with the bonus of having plain text access to credentials for all connected cameras.
The bigger issue is that NUUO's Video Recorder Software also ships as the control tool for more than 100 different third-party surveillance camera manufacturers, a fact which gravely expands the threat scope of the vulnerability disclosed in Tenable Research's report.
Tenable's researchers notified media on Monday after NUUO was given 105 days to release a patch for their exploitable software. Despite this, NUUO only managed to have the patch ready just after the media was alerted.
According to an interview given by Gavin Millard, VP of threat intelligence at Tenable, to ZDNet, "preliminary estimates show that Peekaboo could affect up to hundreds of thousands of web-based cameras and devices worldwide."