Threat Signal ReportDetection Spike Observed for DVR Authentication Bypass Vulnerability (CVE-2018-9995)
Description
FortiGuard Labs has recently observed a detection spike in DVR Authentication Bypass Vulnerability (CVE-2018-9995). This indicates that attackers tried to exploit the vulnerability potentially resulting in attackers gaining unauthorized access to vulnerable DVR devices.
Why is this Significant?
This is significant because FortiGuard Labs has recently observed increased exploit attempts for unpatched TBK DVR4104 and DVR4216 Digital Video Recorder (DVR) devices as well as rebranded devices. Proof-of-Concept (PoC) code is readily available, and the vulnerability is trivial to exploit.
What is CVE-2018-9995?
CVE-2018-9995 is an authentication bypass vulnerability that affects DVR4104 and DVR4216 manufactured by TBK and their rebranded devices.
The vulnerability is due to an error in the vulnerable application when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this to bypass authentication and obtain administrative access.
CVE-2018-9995 has a CVSS basic score of 9.8 and is rated critical by NIST.
Has the Vendor Released an Advisory for CVE-2018-9995?
FortiGuard Labs is not aware of a vendor advisory.
Has the Vendor Released a Patch for CVE-2018-9995?
FortiGuard Labs is not aware of a vendor patch for CVE-2018-9995.
What is the Status of Protection?
FortiGuard Labs has the following IPS signature in place for CVE-2018-9995:
- DVR.Cookie.Authentication.Bypass
Any Suggested Mitigation?
Configure DVR's management interface to be accessible only from trusted IPs.
Outbreak Alert
FortiGuard Labs observed "Critical" level of attack attempts to exploit an Authentication Bypass Vulnerability in TBK DVR devices (4104/4216) with upto more than 50,000+ unique IPS detections in the month of April 2023. The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges eventually leading access to camera video feeds.
