CHT Security Forensics Lab Discovered Vulnerabilities in Firmware of Well-Known DVR

The Vulnerability Report of Tonnet DVR


Summary

1. [CVE-2020-3923] Improper Access Control

The firmware does not properly handle passwords. Attacker could analyze the firmware and the algorithm of cipher to get system permission of devices.

2. [CVE-2020-3924] Command Injection

There is a command injection in firmware update procedure. Attacker can easily manipulate a fake firmware to open the telnet service to get system permission.

Details

1. [CVE-2020-3923] Improper Access Control

The firmware contains an executable file that opens tcp/9530 port listening, which is a service for engineers to maintain device.

The authentication procedure of this service is vulnerable. It uses symmetric algorithm (3DES) and fixed keys to verify passcode. This vulnerability allows attackers to retrieve system permission after reversing the firmware.

Impact

Attacker could gain root permission. The device might be infected as botnet and execute DDoS attack.

2. [CVE-2020-3924] Command Injection

The main reason this vulnerability existed is an insecure upgrade procedure. Besides, there is a more insecure command in the configuration script parser. With both vulnerabilities, the attacker can easily make malicious firmware to turn on telnet service and get system permission.

Impact

Attacker could gain root permission. The device might be infected as botnet and execute DDoS attack.


Known Affected Devices

  • TAT-77104G1
    • Firmware version <= TAT-77104G1_20190107
  • TAT-70432N
    • Firmware version <= TAT-77208G1_20181225
  • TAT-71416G1
    • Firmware version <= TAT-71416G1_20181225
  • TAT-71832G1
    • Firmware version <= TAT-71832G1_20190510
  • TAT-76104G3
    • Firmware version <= 20181220_76104G3
  • TAT-76108G3
    • Firmware version <= 20181221_76208G3
  • TAT-76116G3
    • Firmware version <= 20181221_76216G3
  • TAT-76132G3
    • Firmware version <= TAT-70832G3_20181221-1

Credit

  • Weber Tsai (CHT Security)
  • Keniver Wang (CHT Security)
  • Redhung Chen (CHT Security Intern)