CVE-2016-5676
published 2016-08-31CVE-2016-5676: cgi-bin/cgi_system in NUUO NVRmini 2 1.7.5 through 2.x, NUUO NVRsolo 1.7.5 through 2.x, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote…
PriorityP274high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
53.72%
98.9th percentile
cgi-bin/cgi_system in NUUO NVRmini 2 1.7.5 through 2.x, NUUO NVRsolo 1.7.5 through 2.x, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to reset the administrator password via a cmd=loaddefconfig action.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting /cgi-bin/cgi_system with the parameter cmd=loaddefconfig, which triggers an unauthenticated administrator password reset on affected NUUO/NETGEAR devices. ↗
- →Unauthenticated exploitation is possible only on firmware versions before v1.7.6; on later versions an administrative password is required, so unauthenticated hits to this endpoint on patched devices may indicate credential-assisted attacks. ↗
- ·The exploit targets the web management interface of NUUO NVRmini 2, NVRsolo, and NETGEAR ReadyNAS Surveillance; the attack surface is the exposed HTTP management port of these devices. ↗
- ·The Metasploit module has been confirmed on NVRmini 2 and ReadyNAS Surveillance; NVRsolo and other NUUO devices are suspected vulnerable but unconfirmed. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
exploitdb·2016-08-05
CVE-2016-5680 NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS Surveillance application
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security (http://www.agileinfosec.co.uk/)
Disclosure: 04/08/2016 / Last updated: 04/08/2016
>> Background on the affected products:
"NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy har
Metasploit
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset
metasploit
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset
The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable to an administrator password reset on the exposed web management interface. Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware (before v1.7.6), otherwise you need an administrative user password. This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.
No writeups or analysis indexed.
2016-08-31
Published