Hackers are actively exploiting an unpatched 2018 authentication bypass vulnerability in exposed TBK DVR (digital video recording) devices.
DVRs are an integral part of security surveillance systems as they record and store video recorded by cameras. TBK Vision’s website claims its products are deployed in banks, government organizations, the retail industry, and more.
As these DVR servers are used to store sensitive security footage, they are usually located on internal networks to prevent unauthorized access to the recorded video. Unfortunately, this makes them attractive to threat actors who can exploit them for initial access to corporate networks and to steal data.
Fortinet’s FortiGard Labs reports seeing an uptick in hacking attempts on TBK DVR devices recently, with the threat actors using a publicly available proof of concept (PoC) exploit to target a vulnerability in the servers.
CVE-2018-9995 exploitation spike recorded by Fortinet
The vulnerability is a critical (CVSS v3: 9.8) flaw, tracked as CVE-2018-9995, which enables attackers to bypass authentication on the device and gain access to the impacted network.
The exploit uses a maliciously crafted HTTP cookie, to which vulnerable TBK DVR devices respond with admin credentials in the form of JSON data.
“A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges, eventually leading access to camera video feeds,” reads an outbreak alert by Fortinet.
The vulnerability impacts the TBK DVR4104 and TBK DVR4216 and rebrands of these models sold under the Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands.
According to Fortinet, as of April 2023, there were over 50,000 attempts to exploit TBK DVR devices using this flaw.
“With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers,” explains Fortinet.
“The recent spike in IPS detections shows that network camera devices remain a popular target for attackers.”
Unfortunately, Fortinet is unaware of a security update to address CVE-2018-9995. Therefore, it is advised to replace the vulnerable surveillance systems with new and actively supported models or isolate them from the internet to prevent unauthorized access.
Another old flaw undergoing an exploitation “outbreak” is CVE-2016-20016 (CVSS v3: 9.8, “critical”), a remote code execution vulnerability impacting MVPower TV-7104HE and TV-7108HE DVRs, allowing attackers to perform unauthenticated command execution using malicious HTTP requests.
Exploitation stats for CVE-2016-20016 (Fortinet)
This flaw has been under active exploitation in the wild since 2017, but Fortinet has recently seen signs of increasing malicious activity leveraging it. In this case, too, the vendor has not supplied a patch to fix the vulnerability.