TBK DVR Authentication Bypass Attack

Released: May 01, 2023


High Severity

IoT Platform

Attack Type


DVR camera system vulnerability actively exploited in the wild

FortiGuard Labs observed "Critical" level of attack attempts to exploit an Authentication Bypass Vulnerability in TBK DVR devices (4104/4216) with upto more than 50,000+ unique IPS detections in the month of April 2023. The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges eventually leading access to camera video feeds. Learn More »

Common Vulnerabilities and Exposures

CVE-2018-9995

Background

TBK Vision is a video surveillance company which provides network CCTV devices and other related equipment such as DVRs for the protection of critical infrastructure facilities. According to the vendor website, they have over 600,000 Cameras and 50,000 Recorders installed all over the world in multiple sectors such as Banking, Retail, Government etc. According to the NIST NVD database, TBK DVR4104 and DVR4216 devices are also rebranded and sold as other brands such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR.

Another notable spike to mention is IPS detections related to MVPower CCTV DVR models (CVE-2016-20016) also known as JAWS webserver RCE. Previously seen to be exploited in the wild through 2017 and on-going. See additional resources for more information.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


May 10, 2018: Fortinet customers remain protected by the IPS signature to block attack attempts related to vulnerable TBK DVR devices. (CVE-2018-9995)


May 1, 2023: With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers. The recent spike in IPS detections shows that network camera devices remain a popular target for attackers.

FortiGuard Labs is not aware of any patches provided by the vendor and recommends organizations to review installed models of CCTV camera systems and related equipment for vulnerable models.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • Lure

  • Decoy VM

  • IPS

DETECT
  • Outbreak Detection

  • Threat Hunting

  • Content Update

RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • InfoSec Services

IDENTIFY
  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0