CHT Security Forensics Lab Discovered Vulnerabilities in Firmware of Well-Known DVR
The Vulnerability Report of Tonnet DVR
Summary
1. [CVE-2020-3923] Improper Access Control
The firmware does not properly handle passwords. Attacker could analyze the firmware and the algorithm of cipher to get system permission of devices.
2. [CVE-2020-3924] Command Injection
There is a command injection in firmware update procedure. Attacker can easily manipulate a fake firmware to open the telnet service to get system permission.
Details
1. [CVE-2020-3923] Improper Access Control
The firmware contains an executable file that opens tcp/9530 port listening, which is a service for engineers to maintain device.
The authentication procedure of this service is vulnerable. It uses symmetric algorithm (3DES) and fixed keys to verify passcode. This vulnerability allows attackers to retrieve system permission after reversing the firmware.
Impact
Attacker could gain root permission. The device might be infected as botnet and execute DDoS attack.
2. [CVE-2020-3924] Command Injection
The main reason this vulnerability existed is an insecure upgrade procedure. Besides, there is a more insecure command in the configuration script parser. With both vulnerabilities, the attacker can easily make malicious firmware to turn on telnet service and get system permission.
Impact
Attacker could gain root permission. The device might be infected as botnet and execute DDoS attack.
Known Affected Devices
- TAT-77104G1
- Firmware version <= TAT-77104G1_20190107
- TAT-70432N
- Firmware version <= TAT-77208G1_20181225
- TAT-71416G1
- Firmware version <= TAT-71416G1_20181225
- TAT-71832G1
- Firmware version <= TAT-71832G1_20190510
- TAT-76104G3
- Firmware version <= 20181220_76104G3
- TAT-76108G3
- Firmware version <= 20181221_76208G3
- TAT-76116G3
- Firmware version <= 20181221_76216G3
- TAT-76132G3
- Firmware version <= TAT-70832G3_20181221-1
Credit
- Weber Tsai (CHT Security)
- Keniver Wang (CHT Security)
- Redhung Chen (CHT Security Intern)