CVE-2018-1149 is a new stack buffer overflow zero-day vulnerability which endangers IoT video and security camera. Also known as Peekaboo, the zero-day is affecting security cameras and surveillance equipment that use the NUUO software. If exploited, the flaw could allow attackers to perform remote code execution attacks.
Attackers could also steal sensitive data such as device credentials, IP addresses, port usages, and device model numbers. Furthermore, attackers exploiting the bug can disable cameras or replace the footage with a static image.
CVE-2018-1149 Critical Zero-Day: Technical Overview
Tenable researchers “found an unauthenticated stack buffer overflow (CWE-121) permitting remote code execution”. This vulnerability has a CVSSv2 Base score of 10.0 and a Temporal Score of 8.6; it’s rated as Critical severity, the researchers added.
In case of a successful exploit, the Peekaboo vulnerability grants cybercriminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras, the researchers explained in their report.
Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.
There is also a proof-of-concept for CVE-2018-1149 developed by Jacob Baines, senior research engineer at Tenable. He was able to demonstrate how this vulnerability might be leveraged to take over the NVRMini2 and manipulate connected cameras.
The impact of the vulnerability could be really devastating – the researchers estimated that it could affect hundreds of thousands of IoT cameras on a global scale. This could put a variety of organizations using the NUUO software where at risk, including shopping centers, banks, hospitals, governments, and public areas.
Apparently, NUUO is currently working on a patch. Affected customers are advised to contact the company for more details. Until the patch is released, users should restrict network access to the affected devices to avoid exploit.