CVE-2018-16946
published 2018-09-12CVE-2018-16946: LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report)…
PriorityP262high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
9.35%
94.8th percentile
LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lg | lnb5110_firmware | 1310250 – 1508190 | — |
| lg | lnb5320_firmware | 1310250 – 1508190 | — |
| lg | lnb5320r_firmware | 1310250 – 1508190 | — |
| lg | lnb7210_firmware | 1310250 – 1508190 | — |
| lg | lnd3230r_firmware | 1310250 – 1508190 | — |
| lg | lnd5110_firmware | 1310250 – 1508190 | — |
| lg | lnd5110r_firmware | 1310250 – 1508190 | — |
| lg | lnd5220r_firmware | 1310250 – 1508190 | — |
| lg | lnd7210_firmware | 1310250 – 1508190 | — |
| lg | lnd7210r_firmware | 1310250 – 1508190 | — |
| lg | lnu3230r_firmware | 1310250 – 1508190 | — |
| lg | lnu5110r_firmware | 1310250 – 1508190 | — |
| lg | lnu5320r_firmware | 1310250 – 1508190 | — |
| lg | lnu7210r_firmware | 1310250 – 1508190 | — |
| lg | lnv5110r_firmware | 1310250 – 1508190 | — |
| lg | lnv5320r_firmware | 1310250 – 1508190 | — |
| lg | lnv7210_firmware | 1310250 – 1508190 | — |
| lg | lnv7210r_firmware | 1310250 – 1508190 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /updownload/t.report — no session/auth cookie required; any 200 response leaks log/report data including model ID and firmware version usable for backup filename construction. ↗
- →Detect unauthenticated GET requests to /download.php?file=backup_*.config — the backup file contains plaintext user credentials and device configuration (stored in mipsca.db SQLite database inside the archive). ↗
- →Alert on HTTP Basic Auth header value 'YWRtaW46YWRtaW4=' (base64 for admin:admin) sent to LG camera endpoints — exploit first tries default credentials before brute-forcing backup filenames. ↗
- →Monitor for sequential/rapid unauthenticated requests to /download.php?file=backup_<date>_<version>.config iterating over dates (up to 3650 days back) — characteristic brute-force pattern of the exploit. ↗
- →Known vulnerable model version strings to match in backup filenames or report data: 2219.0.0.1505220, 2745.0.0.1508190, 1954.0.0.1410150, 1030.0.0.1310250. ↗
- ·Backup filename is date-dependent (YYMMDD) and model-version-dependent; defenders should monitor for the pattern backup_YYMMDD_<version>.config rather than a static filename. ↗
- ·The exploit targets LG camera model families LNB*, LND*, LNU*, and LNV* — scope detection rules to these device families to reduce false positives. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-09-12
Published