AVTECH DVR Vulnerability (Severity: High)

Updates 20 March 2017 , 3:40pm

AVTECH had just release firmware patches for their newer IP Cameras, NVR and TVI-DVR models. The flaw exist with almost all AVTECH equipment manufactured for the last 7 years.

You have to patch your CCTV system or take if offline to avoid your system being infected with the malware.

http://www.avtech.com.tw/

Firmware Fix Issued for Malware Targets

AVTECH is aware of the recent cyber attack news that hackers have been doing with several of our main competitors. To bring up the security level for AVTECH customers and to prevent exposing to any potential risk, AVTECH strongly recommends customers to change the default passwords before having their devices to be set online.

At the same time, AVTECH has issued new firmware updates for our recorders (DVRs & NVRs) and IP cameras to prevent possibility for the hackers to make attempts to your devices.

The firmware fix is now available on AVTECH official website, www.avtech.com.tw, for the following models which are determined as the affected ones:

For Older DVR Models, we are also rolling out replacement programme for customer to upgrade their DVR to brands that Singapore Police/Cisco are using.

More Information

Here’s how AVTECH System looks like. If you are using any of the software/dvr that look like this, then most likely you are using AVTECH equipment.


Updates 20 March 2017

http://news.thewindowsclub.com/new-linux-malware-attacks-avtech-iot-devices-88739/

A new malware that targets Linux-based Internet of Things (IoT) devices has been detected by Search-Lab, a Security research and development firm. This Linux ARM malware called as ELF_IMEIJ.A exploits a vulnerability in devices from AVTech, a surveillance technology company.

As an AVTech user, you can do the following to protect your device,

  • Change the default admin password (All our Devices are installed with the default password changed)
  • Never expose the web interface of any Avtech device to the internet (Disable Remote Viewing through Internet)

Vulnerabilities on AVTECH CCTV equipment had been found.

Symantec had also issued an update on Norton Security Suites to block certain functionality of the DVR from computers trying to access the system. If you face issues logging to your AVTECH system from the internet, that could also be a possible reason.

LAKSON had stop using AVTECH Equipment with internet viewing since 2015 for installation work and and switched to other brands. These includes brands which is used by Singapore Police/Cisco and is installed in various high security installation such as SMRT, Esplanade, etc.

For customers on maintenance contract, actions had been taken to secure their equipment from unauthorised access. This include replacing their AVTECH equipment with other brand/models. From our records, there’s no longer any customers who have AVTECH equipment installed by us which is under warranty as well.

If you are using AVTECH CCTV equipment, please contact your vendor to ask about security update patches/replacement options.

You may also wish to purchase replacement equipment for your AVTECH CCTV System. Click here to see more options.


Reference :- https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=29982

For more information, you can also read up on this.
https://www.exploit-db.com/exploits/40500/

Timeline
2015.10.19: First attempt to contact with Avtech, but we did not receive
any response
2016.05.24: Second attempt to contact Avtech without any response
2016.05.27: Third attempt to contact Avtech by sending e-mail to public
Avtech e-mail addresses. We did not receive any response.
2016.xx.xx: Full disclosure

POC

POC script is available to demonstrate the following problems [3]:
– Unauthenticated information leakage (capabilities)
– Authentication bypass (.cab, nobody)
– Unauthenticated SSRF on DVR devices
– Unauthenticated command injection on DVR devices
– Login captcha bypass with login=quick or manual cookie creation
– CloudSetup.cgi command injection after authentication
– adcommand.cgi command injection after authentication

A video demonstration is also available [1], which presents some of the
above problems.

Recommendations
—————
Unfortunately there is no solution available for these vulnerabilities
at the moment. You can take the following steps to protect your device:
– Change the default admin password
– Never expose the web interface of any Avtech device to the internet