Details of VAR-201609-0102

ID

VAR-201609-0102

CVE

CVE-2016-6536

TITLE

AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#667480

DESCRIPTION

The /setup URI on AVer Information EH6108H+ devices with firmware X9.03.24.00.07l allows remote attackers to bypass intended page-access restrictions or modify passwords by leveraging knowledge of a handle parameter value. AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure. In addition, JVNVU#95660277 Then CWE-302 It is published as CWE-302: Authentication Bypass by Assumed-Immutable Data http://cwe.mitre.org/data/definitions/302.htmlBy a third party handle By using the value of the parameter, you may be able to bypass the access restriction of the page or change the password. AVerInformationEH6108H+hybridDVRVU is a DVR product from AVerInformation. AVerInformationEH6108H+hybridDVRVU has a certification bypass vulnerability. A hard coded credentials vulnerability. 2. An authentication-bypass vulnerability. 3. An information-disclosure vulnerability. Attackers may exploit these issues to gain unauthorized access to restricted content by bypassing intended security restrictions or to obtain sensitive information and gain root privileges. AVer Information EH6108H+ X9.03.24.00.07l and prior are vulnerable. Version X9.03.24.00.07l and possibly earlier are reported to contain multiple vulnerabilities. Both accounts have root privileges and may be used to gain access via an undocumented telnet service that cannot be disabled through the web user interface and runs by default. CWE-200: Information Exposure - CVE-2016-6537 User credentials are reported to be stored and transmitted in an insecure manner. In the configuration page of the web interface, passwords are stored in base64-encoded strings. In client requests, credentials are listed in plain text in the cookie header. For more information, refer to the researcher's disclosure. Solution: The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround. Restrict access As a general good security practice, only allow connections from trusted hosts and networks. References: http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/ https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a nd-more https://cwe.mitre.org/data/definitions/798.html https://cwe.mitre.org/data/definitions/302.html https://cwe.mitre.org/data/definitions/200.html

Trust: 3.33

sources: NVD: CVE-2016-6536 // CERT/CC: VU#667480 // JVNDB: JVNDB-2016-004816 // CNVD: CNVD-2016-07571 // BID: 92936 // VULHUB: VHN-95356 // PACKETSTORM: 138875

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-07571

AFFECTED PRODUCTS

vendor:	aver	model:	eh6108h\+	scope:	lte	version:	x9.03.24.00.07l	Trust: 1.0
vendor:	aver	model:	information eh6108h+ hybrid dvr x9.03.24.00.07l	scope:	-	version:	-	Trust: 0.9
vendor:	aver information	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	aver information	model:	eh6108h+	scope:	-	version:	-	Trust: 0.8
vendor:	aver information	model:	eh6108h+	scope:	eq	version:	x9.03.24.00.07l	Trust: 0.8
vendor:	aver	model:	eh6108h\+	scope:	eq	version:	x9.03.24.00.07l	Trust: 0.6

sources: CERT/CC: VU#667480 // CNVD: CNVD-2016-07571 // BID: 92936 // JVNDB: JVNDB-2016-004816 // CNNVD: CNNVD-201609-277 // NVD: CVE-2016-6536

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-6536
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-6536
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-07571
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201609-277
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-95356
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-6536
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-07571
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-95356
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-6536
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-07571 // VULHUB: VHN-95356 // JVNDB: JVNDB-2016-004816 // CNNVD: CNNVD-201609-277 // NVD: CVE-2016-6536

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-95356 // JVNDB: JVNDB-2016-004816 // NVD: CVE-2016-6536

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201609-277

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201609-277

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004816

PATCH

title:

EH6108H Series - NVRs and Surveillance Software

url:

http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/

Trust: 0.8

sources: JVNDB: JVNDB-2016-004816

EXTERNAL IDS

db:	CERT/CC	id:	VU#667480	Trust: 4.3
db:	NVD	id:	CVE-2016-6536	Trust: 3.5
db:	BID	id:	92936	Trust: 2.6
db:	JVN	id:	JVNVU95660277	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-004816	Trust: 0.8
db:	CNNVD	id:	CNNVD-201609-277	Trust: 0.7
db:	CNVD	id:	CNVD-2016-07571	Trust: 0.6
db:	VULHUB	id:	VHN-95356	Trust: 0.1
db:	PACKETSTORM	id:	138875	Trust: 0.1

sources: CERT/CC: VU#667480 // CNVD: CNVD-2016-07571 // VULHUB: VHN-95356 // BID: 92936 // JVNDB: JVNDB-2016-004816 // PACKETSTORM: 138875 // CNNVD: CNNVD-201609-277 // NVD: CVE-2016-6536

REFERENCES

url:	http://www.kb.cert.org/vuls/id/667480	Trust: 3.5
url:	http://www.securityfocus.com/bid/92936	Trust: 2.3
url:	https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-and-more	Trust: 1.6
url:	http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus/	Trust: 0.9
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.9
url:	https://cwe.mitre.org/data/definitions/302.html	Trust: 0.9
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6536	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu95660277/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6536	Trust: 0.8
url:	http://news.softpedia.com/news/here-s-another-vulnerable-dvr-system-ready-to-become-a-ddos-botnet-508298.shtml	Trust: 0.6
url:	http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2016-6537	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-6535	Trust: 0.1
url:	https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-6536	Trust: 0.1
url:	https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-	Trust: 0.1

CREDITS

Travis Lee

Trust: 1.0

sources: BID: 92936 // PACKETSTORM: 138875 // CNNVD: CNNVD-201609-277

SOURCES

db:	CERT/CC	id:	VU#667480
db:	CNVD	id:	CNVD-2016-07571
db:	VULHUB	id:	VHN-95356
db:	BID	id:	92936
db:	JVNDB	id:	JVNDB-2016-004816
db:	PACKETSTORM	id:	138875
db:	CNNVD	id:	CNNVD-201609-277
db:	NVD	id:	CVE-2016-6536

LAST UPDATE DATE

2025-04-13T23:23:35.328000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#667480	date:	2016-09-22T00:00:00
db:	CNVD	id:	CNVD-2016-07571	date:	2016-09-18T00:00:00
db:	VULHUB	id:	VHN-95356	date:	2016-11-28T00:00:00
db:	BID	id:	92936	date:	2016-09-13T00:00:00
db:	JVNDB	id:	JVNDB-2016-004816	date:	2016-09-26T00:00:00
db:	CNNVD	id:	CNNVD-201609-277	date:	2016-09-19T00:00:00
db:	NVD	id:	CVE-2016-6536	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#667480	date:	2016-09-13T00:00:00
db:	CNVD	id:	CNVD-2016-07571	date:	2016-09-18T00:00:00
db:	VULHUB	id:	VHN-95356	date:	2016-09-19T00:00:00
db:	BID	id:	92936	date:	2016-09-13T00:00:00
db:	JVNDB	id:	JVNDB-2016-004816	date:	2016-09-26T00:00:00
db:	PACKETSTORM	id:	138875	date:	2016-09-27T16:32:22
db:	CNNVD	id:	CNNVD-201609-277	date:	2016-09-14T00:00:00
db:	NVD	id:	CVE-2016-6536	date:	2016-09-19T01:59:08.400