Overview – Attacks on TBK Vision’s DVR Vulnerability

Last month, there was a massive surge in malicious attacks targeting a five-year-old vulnerability in TBK Vision’s DVR Camera System. A Digital Video Recording (DVR) device is the central part of a security surveillance system because, without it, one would be unable to review the recorded footage. DVR servers store sensitive security footage and are typically located on the company’s internal network to prevent unauthorized users from accessing the footage.

The vulnerability, CVE-2018-9995, is a high-severity flaw discovered by security researchers at Fortinet. They found that when the camera handles malicious HTTP cookies, it experiences an error. The error enables a remote attacker to bypass the authentication and gain administrative privileges in the form of JSON data. Once this happens, an attacker can view camera footage and video feeds. Additionally, threat actors use a publicly available PoC (proof of concept) exploit to target the specific vulnerability.

Last month, over 50,000 attack attempts on these devices came from unique Intrusion Prevention Systems (IPS) detections. The rise in attacks led Fortinet to recognize the flaw. However, details on the existence of the vulnerability trace back to April 2018. But there was no patch for it, so it has been left wide open and vulnerable.

Banking, retail, government, and other sectors use TBK Vision’s products worldwide. The wide use of these devices and their easy-to-exploit nature makes the vulnerability a popular target for attackers.

Devices Impacted by the TBK DVR Vulnerability

This vulnerability affects the TBK DVR 4104 and TBK DVR 4216 models and any rebrands of this model under the Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands.

What to do if You Use Vulnerable TBK DVR Devices

To date, no patch exists to address the flaw. So, replacing the vulnerable devices listed above with a new supported model or isolating them within your environment from the internet to restrict unauthorized access is recommended. As for other devices you may use, the most crucial factor in protecting any device, especially an internet-facing device, is to patch or install updates. The option to auto-update on these devices by default would automatically ensure these devices are in the latest version. If you need help managing the security of your devices, contact us to learn about your options.