Details of VAR-201609-0101

ID

VAR-201609-0101

CVE

CVE-2016-6535

TITLE

AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#667480

DESCRIPTION

AVer Information EH6108H+ devices with firmware X9.03.24.00.07l have hardcoded accounts, which allows remote attackers to obtain root access by leveraging knowledge of the credentials and establishing a TELNET session. AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure. Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. AVerInformationEH6108H+hybridDVRVU is a DVR product from AVerInformation. An attacker can exploit the vulnerability to gain root privileges. 2. An authentication-bypass vulnerability. 3. An information-disclosure vulnerability. AVer Information EH6108H+ X9.03.24.00.07l and prior are vulnerable. The vulnerability stems from the fact that the program contains hard-coded accounts. Version X9.03.24.00.07l and possibly earlier are reported to contain multiple vulnerabilities. Both accounts have root privileges and may be used to gain access via an undocumented telnet service that cannot be disabled through the web user interface and runs by default. CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536 By guessing the handle parameter of the /setup page of the web interface, an unauthenticated attacker reportedly may be able to access restricted pages and alter DVR configurations or change user passwords. CWE-200: Information Exposure - CVE-2016-6537 User credentials are reported to be stored and transmitted in an insecure manner. In the configuration page of the web interface, passwords are stored in base64-encoded strings. In client requests, credentials are listed in plain text in the cookie header. For more information, refer to the researcher's disclosure. Solution: The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround. Restrict access As a general good security practice, only allow connections from trusted hosts and networks. References: http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/ https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a nd-more https://cwe.mitre.org/data/definitions/798.html https://cwe.mitre.org/data/definitions/302.html https://cwe.mitre.org/data/definitions/200.html

Trust: 3.42

sources: NVD: CVE-2016-6535 // CERT/CC: VU#667480 // JVNDB: JVNDB-2016-004815 // CNVD: CNVD-2016-07570 // BID: 92936 // VULHUB: VHN-95355 // VULMON: CVE-2016-6535 // PACKETSTORM: 138875

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-07570

AFFECTED PRODUCTS

vendor:	aver	model:	eh6108h\+	scope:	eq	version:	x9.03.24.00.07l	Trust: 1.6
vendor:	aver	model:	information eh6108h+ hybrid dvr x9.03.24.00.07l	scope:	-	version:	-	Trust: 0.9
vendor:	aver information	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	aver information	model:	eh6108h+	scope:	-	version:	-	Trust: 0.8
vendor:	aver information	model:	eh6108h+	scope:	eq	version:	x9.03.24.00.07l	Trust: 0.8

sources: CERT/CC: VU#667480 // CNVD: CNVD-2016-07570 // BID: 92936 // JVNDB: JVNDB-2016-004815 // CNNVD: CNNVD-201609-276 // NVD: CVE-2016-6535

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-6535
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-6535
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-07570
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201609-276
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-95355
value:	HIGH
Trust: 0.1
VULMON:	CVE-2016-6535
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-6535
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2016-07570
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-95355
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-6535
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-07570 // VULHUB: VHN-95355 // VULMON: CVE-2016-6535 // JVNDB: JVNDB-2016-004815 // CNNVD: CNNVD-201609-276 // NVD: CVE-2016-6535

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-95355 // JVNDB: JVNDB-2016-004815 // NVD: CVE-2016-6535

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201609-276

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201609-276

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004815

PATCH

title:	EH6108H Series - NVRs and Surveillance Software	url:	http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/	Trust: 0.8
title:	Threatpost	url:	https://threatpost.com/new-mirai-variant-carries-out-54-hour-ddos-attacks/124660/	Trust: 0.1

sources: VULMON: CVE-2016-6535 // JVNDB: JVNDB-2016-004815

EXTERNAL IDS

db:	CERT/CC	id:	VU#667480	Trust: 4.4
db:	NVD	id:	CVE-2016-6535	Trust: 3.6
db:	BID	id:	92936	Trust: 2.7
db:	JVN	id:	JVNVU95660277	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-004815	Trust: 0.8
db:	CNNVD	id:	CNNVD-201609-276	Trust: 0.7
db:	CNVD	id:	CNVD-2016-07570	Trust: 0.6
db:	PACKETSTORM	id:	138875	Trust: 0.3
db:	VULHUB	id:	VHN-95355	Trust: 0.1
db:	VULMON	id:	CVE-2016-6535	Trust: 0.1

sources: CERT/CC: VU#667480 // CNVD: CNVD-2016-07570 // VULHUB: VHN-95355 // VULMON: CVE-2016-6535 // BID: 92936 // JVNDB: JVNDB-2016-004815 // PACKETSTORM: 138875 // CNNVD: CNNVD-201609-276 // NVD: CVE-2016-6535

REFERENCES

url:	http://www.kb.cert.org/vuls/id/667480	Trust: 3.7
url:	http://www.securityfocus.com/bid/92936	Trust: 2.5
url:	https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-and-more	Trust: 1.6
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 1.0
url:	http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus/	Trust: 0.9
url:	https://cwe.mitre.org/data/definitions/302.html	Trust: 0.9
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6535	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu95660277/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6535	Trust: 0.8
url:	http://news.softpedia.com/news/here-s-another-vulnerable-dvr-system-ready-to-become-a-ddos-botnet-508298.shtml	Trust: 0.6
url:	http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus	Trust: 0.3
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://packetstormsecurity.com/files/138875/aver-information-eh6108h-authentication-bypass-inforation-exposure.html	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-6537	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-6535	Trust: 0.1
url:	https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-6536	Trust: 0.1
url:	https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-	Trust: 0.1

CREDITS

Travis Lee

Trust: 1.0

sources: BID: 92936 // PACKETSTORM: 138875 // CNNVD: CNNVD-201609-276

SOURCES

db:	CERT/CC	id:	VU#667480
db:	CNVD	id:	CNVD-2016-07570
db:	VULHUB	id:	VHN-95355
db:	VULMON	id:	CVE-2016-6535
db:	BID	id:	92936
db:	JVNDB	id:	JVNDB-2016-004815
db:	PACKETSTORM	id:	138875
db:	CNNVD	id:	CNNVD-201609-276
db:	NVD	id:	CVE-2016-6535

LAST UPDATE DATE

2025-04-13T23:23:35.369000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#667480	date:	2016-09-22T00:00:00
db:	CNVD	id:	CNVD-2016-07570	date:	2018-03-06T00:00:00
db:	VULHUB	id:	VHN-95355	date:	2016-11-28T00:00:00
db:	VULMON	id:	CVE-2016-6535	date:	2016-11-28T00:00:00
db:	BID	id:	92936	date:	2016-09-13T00:00:00
db:	JVNDB	id:	JVNDB-2016-004815	date:	2016-09-26T00:00:00
db:	CNNVD	id:	CNNVD-201609-276	date:	2016-09-19T00:00:00
db:	NVD	id:	CVE-2016-6535	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#667480	date:	2016-09-13T00:00:00
db:	CNVD	id:	CNVD-2016-07570	date:	2016-09-18T00:00:00
db:	VULHUB	id:	VHN-95355	date:	2016-09-19T00:00:00
db:	VULMON	id:	CVE-2016-6535	date:	2016-09-19T00:00:00
db:	BID	id:	92936	date:	2016-09-13T00:00:00
db:	JVNDB	id:	JVNDB-2016-004815	date:	2016-09-26T00:00:00
db:	PACKETSTORM	id:	138875	date:	2016-09-27T16:32:22
db:	CNNVD	id:	CNNVD-201609-276	date:	2016-09-14T00:00:00
db:	NVD	id:	CVE-2016-6535	date:	2016-09-19T01:59:07.400