Vulnerability Note VU#667480
AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities
AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly
earlier, reportedly contains multiple vulnerabilities, including
undocumented privileged accounts, authentication bypass, and information
AVer Information EH6108H+ hybrid DVR is an IP security camera management
system and streaming video recorder. Version X9.03.24.00.07l and possibly
earlier are reported to contain multiple vulnerabilities.
CWE-798: Use of Hard-coded Credentials - CVE-2016-6535
AVer Information EH6108H+ reportedly contains two undocumented, hard-coded
account credentials. Both accounts have root privileges and may be used to
gain access via an undocumented telnet service that cannot be disabled
through the web user interface and runs by default.
CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536
By guessing the handle parameter of the /setup page of the web interface, an
unauthenticated attacker reportedly may be able to access restricted pages
and alter DVR configurations or change user passwords.
CWE-200: Information Exposure - CVE-2016-6537
User credentials are reported to be stored and transmitted in an insecure
manner. In the configuration page of the web interface, passwords are stored
in base64-encoded strings. In client requests, credentials are listed in
plain text in the cookie header.
For more information, refer to the researcher's disclosure.
A remote, unauthenticated attacker may be able to gain access with root
privileges to completely compromise vulnerable devices.
The CERT/CC is currently unaware of a practical solution to this problem and
recommends the following workaround.
As a general good security practice, only allow connections from trusted
hosts and networks.