Sign-up

ID

VAR-202006-0043


CVE

CVE-2020-11680


TITLE

Castel NextGen DVR Unauthorized authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006191

DESCRIPTION

Castel NextGen DVR v1.0.0 is vulnerable to authorization bypass on all administrator functionality. The application fails to check that a request was submitted by an administrator. Consequently, a normal user can perform actions including, but not limited to, creating/modifying the file store, creating/modifying alerts, creating/modifying users, etc. Attackers can use this vulnerability to create/modify file libraries, create/modify users, etc. All issues are associated with *Castel NextGen DVR v1.0.0 *and have been resolved in v1.0.1*.* ------------------------------- *CVE-2020-11679 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* A low privileged user can call functionality reserved for an Administrator which promotes a low privileged account to the Administrator role: POST /Administration/Users/Edit/:ID HTTP/1.1 > Host: $RHOST > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Cookie: $REVIEWER_COOKIES > DNT: 1 > Connection: close > Upgrade-Insecure-Requests: 1 > Content-Type: application/x-www-form-urlencoded > Content-Length: 349 > UserId=:ID&Email=bypass%40test.com > &FirstName=bypass&LastName=bypass&LDAPUser=false > > &Roles%5B0%5D.RoleId=1&Roles%5B0%5D.IsSelected=true&Roles%5B0%5D.IsSelected=false > > &Roles%5B1%5D.RoleId=3&Roles%5B1%5D.IsSelected=true&Roles%5B1%5D.IsSelected=false > > &Roles%5B2%5D.RoleId=5&Roles%5B2%5D.IsSelected=true&Roles%5B2%5D.IsSelected=false > &Locked=false ------------------------------- *CVE-2020-11680 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11680>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* The application does not perform an authorization check before functionality is performed. Low privileged users are prevented from browsing to pages that perform Administrator functionality using GET, however, functionality can be performed by directly crafting the associated POST request. This can be exploited to modify user accounts, modify the application, etc. Combined with the reported CSRF, CVE-2020-11682, any user of the application can be used to grant Administrator access to a malicious user. ------------------------------- *CVE-2020-11681 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* Credentials are returned in cleartext in the source of the SMTP page. If a malicious user compromises an account. or exploits the CSRF to gain access to the application, the associated SMTP server/account could also be compromised. ------------------------------- *CVE-2020-11682 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11682>* *Original Disclosure* https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf *Description* The application does not properly prevent CSRF; the __RequestVerificationToken, which is included with state changing requests, is not verified by the application - requests are successful even when the token is removed. AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE [image: SecurityMetrics]

Trust: 2.25

sources: NVD: CVE-2020-11680 // JVNDB: JVNDB-2020-006191 // CNVD: CNVD-2021-24899 // PACKETSTORM: 157954

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-24899

AFFECTED PRODUCTS

vendor:castelmodel:nextgen dvrscope:eqversion:1.0.0

Trust: 2.4

sources: CNVD: CNVD-2021-24899 // JVNDB: JVNDB-2020-006191 // NVD: CVE-2020-11680

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-11680
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006191
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2021-24899
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202006-502
value: MEDIUM

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-006191
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-24899
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

NVD:
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006191
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-24899 // JVNDB: JVNDB-2020-006191 // NVD: CVE-2020-11680 // CNNVD: CNNVD-202006-502

PROBLEMTYPE DATA

problemtype:CWE-862

Trust: 1.0

problemtype:CWE-863

Trust: 0.8

sources: JVNDB: JVNDB-2020-006191 // NVD: CVE-2020-11680

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-502

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202006-502

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2020-11680

PATCH
title:Digital Video Recorder (DVR)url:http://castle-cctv.kr/digital-video-recorder-dvr/
Trust: 0.8
title:Patch for Castel NextGen DVR security bypass vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/255926
Trust: 0.6
title:Castel NextGen DVR Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=120744
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-24899 // 
            
            
            
            JVNDB: JVNDB-2020-006191 // 
            
            
            
            CNNVD: CNNVD-202006-502

EXTERNAL IDS
db:PACKETSTORMid:157954
Trust: 3.1
db:NVDid:CVE-2020-11680
Trust: 3.1
db:JVNDBid:JVNDB-2020-006191
Trust: 0.8
db:CNVDid:CNVD-2021-24899
Trust: 0.6
db:CNNVDid:CNNVD-202006-502
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-24899 // 
            
            
            
            JVNDB: JVNDB-2020-006191 // 
            
            
            
            PACKETSTORM: 157954 // 
            
            
            
            NVD: CVE-2020-11680 // 
            
            
            
            CNNVD: CNNVD-202006-502

REFERENCES
url:http://packetstormsecurity.com/files/157954/castel-nextgen-dvr-1.0.0-bypass-csrf-disclosure.html
Trust: 3.6
url:https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass
Trust: 1.7
url:http://seclists.org/fulldisclosure/2020/jun/8
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-11680
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11680
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11679>*
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11681>*
Trust: 0.1
url:https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11681
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11680>*
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11679
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11682
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11682>*
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-24899 // 
            
            
            
            JVNDB: JVNDB-2020-006191 // 
            
            
            
            PACKETSTORM: 157954 // 
            
            
            
            NVD: CVE-2020-11680 // 
            
            
            
            CNNVD: CNNVD-202006-502

CREDITS
Aaron Bishop
Trust: 0.7
sources:
            
            
            PACKETSTORM: 157954 // 
            
            
            
            CNNVD: CNNVD-202006-502

SOURCES
db:CNVDid:CNVD-2021-24899
db:JVNDBid:JVNDB-2020-006191
db:PACKETSTORMid:157954
db:NVDid:CVE-2020-11680
db:CNNVDid:CNNVD-202006-502

LAST UPDATE DATE
2023-12-18T12:27:28.673000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2021-24899date:2021-04-04T00:00:00
db:JVNDBid:JVNDB-2020-006191date:2020-07-02T00:00:00
db:NVDid:CVE-2020-11680date:2021-07-21T11:39:23.747
db:CNNVDid:CNNVD-202006-502date:2021-01-04T00:00:00

SOURCES RELEASE DATE
db:CNVDid:CNVD-2021-24899date:2021-04-04T00:00:00
db:JVNDBid:JVNDB-2020-006191date:2020-07-02T00:00:00
db:PACKETSTORMid:157954date:2020-06-05T18:19:24
db:NVDid:CVE-2020-11680date:2020-06-04T19:15:12.773
db:CNNVDid:CNNVD-202006-502date:2020-06-04T00:00:00