Researcher Discloses Unpatched Vulnerabilities In NUUO NVRmini2 Devices

A security researcher has recently disclosed serious vulnerabilities affecting NUUO NVRmini2 devices. The researcher claims to have found and reported these bugs years ago, yet, the vendors haven’t patched them.

NUUO NVRmini2 Vulnerabilities

According to the security researcher Pedro Ribeiro, at least two different vulnerabilities cripple the security of NUUO NVRmini2 surveillance devices. NUUO NVRmini2 is a portable network video recording and storage solution with NAS functionality.

As described on GitHub, the first of these vulnerabilities is a critical missing authentication on handle_import_user.php. Exploiting this bug (CVE-2022-23227) allows an unauthenticated adversary to upload encrypted TAR archive files. When coupled with another vulnerability (CVE-2011-5325), the exploit may allow remote code execution.

Regarding this bug (CVE-2011-5325), the researcher described it as a high-severity directory traversal vulnerability in the old busybox version that the device uses.

The NVRmini2 uses a very old busybox version, something that is common amongst IoT devices. The latest firmware version 03.11.0000.0016 uses BusyBox v1.16.1 (2013-11-12 15:35:46 CST) multi-call binary.
This version is affected by many vulnerabilities, one of them being CVE-2011-5325, a directory traversal when unpacking tar archives.

The researcher has shared a Metasploit module, as PoC, packaging the entire exploit in a chain.

No Patches Arrived Yet

According to Rebeiro, the vulnerabilities first caught his attention in 2016. However, as he “forgot” them, he reached out to the vendors in 2019 to report the bugs.

Nonetheless, he didn’t have a fruitful experience as the vendors seemingly failed to understand the flaws. Hence, the bugs remain unpatched even in the latest firmware version 03.11.0000.0016.

According to his statements to The Daily Swig,

During the disclosure process, even after multiple attempts, they didn’t really seem to understand the vulnerability… We explained it to them several times, and they seemed completely clueless. They were quite nice and pleasant to deal with it in terms of manners and how they treated us, but technically clueless.

Thus, for now, no official patches or workarounds exist for the users to prevent these exploits.

Nonetheless, the researcher advises the users to protect their devices from exposure to untrusted networks.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients