Annke, an international leader in the home and business security solution industry in Hong Kong, has recently been exposed to a remote code execution vulnerability with one of their products – network video recorder or NVR. The playback feature of the Annke NVR model N48PBB, which records live streams from at least eight IP security cameras and offers centralized remote management of video surveillance structures, has been discovered with a critical flaw (CVE-2021-32941), which could result in the IoT device’s complete exposure to the vulnerability.
To avoid the attacks that threat actors could potentially inflict, security camera operators that are now prone to the vulnerability must update their firmware as soon as possible. As per an article posted last August 26 by security researchers, these attackers can access the recorded private details through the videos, obtain valuable assets, or even stalk recorded people.
In addition, the threat actors can also delete any video footage as they wish, re-engineer motion detecting alarms to avoid security exposure, disable any cameras, or even up to shutting down the entire NVR.
Annke’s clients and users range to about over five million businesses and homeowners globally.
Stack-based buffer overflow found by researchers
A distributed denial-of-service (DDoS) attack was initially discovered by security researchers while observing the HTTP requests delivered by a client as they search for camera footage. They were forced to debug the system’s hardware-level coming from their discoveries and gave them open to Secure Shell (SSH) access. Eventually, researchers found a vulnerable function, ‘sscanf’, which generates a stack-based buffer surge.
They also added that since the video search functionality becomes open to all device users by default, it also becomes a vulnerability to be attacked by threat actors through unpatched Annke NVRs and enables them to upgrade their system privileges.
By July 11, 2021, the security researchers, specifically Nozomi Networks, have sent alerts to Annke regarding the vulnerability of their NVR devices and their released firmware. The said flaw has affected all the preceding firmware versions up to V3.4.106 build 200422.
All video surveillance firms are being strongly advised by the Nozomi Networks to safeguard their operational technology operations and ensure that their IoT network monitoring solutions are running. Also, they recommend considering the applicable privacy laws in the vendor’s jurisdiction whenever they buy security camera systems.
