Sign-up

ID

VAR-202006-0045


CVE

CVE-2020-11682


TITLE

Castel NextGen DVR cross-site request forgery vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-24901 // CNNVD: CNNVD-202006-504

DESCRIPTION

Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request will succeed. The vulnerability stems from the fact that the WEB application does not fully verify whether the request comes from a trusted user. An attacker can use this vulnerability to send unexpected requests to the server through the affected client. All issues are associated with *Castel NextGen DVR v1.0.0 *and have been resolved in v1.0.1*.* ------------------------------- *CVE-2020-11679 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* A low privileged user can call functionality reserved for an Administrator which promotes a low privileged account to the Administrator role: POST /Administration/Users/Edit/:ID HTTP/1.1 > Host: $RHOST > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Cookie: $REVIEWER_COOKIES > DNT: 1 > Connection: close > Upgrade-Insecure-Requests: 1 > Content-Type: application/x-www-form-urlencoded > Content-Length: 349 > UserId=:ID&Email=bypass%40test.com > &FirstName=bypass&LastName=bypass&LDAPUser=false > > &Roles%5B0%5D.RoleId=1&Roles%5B0%5D.IsSelected=true&Roles%5B0%5D.IsSelected=false > > &Roles%5B1%5D.RoleId=3&Roles%5B1%5D.IsSelected=true&Roles%5B1%5D.IsSelected=false > > &Roles%5B2%5D.RoleId=5&Roles%5B2%5D.IsSelected=true&Roles%5B2%5D.IsSelected=false > &Locked=false ------------------------------- *CVE-2020-11680 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11680>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* The application does not perform an authorization check before functionality is performed. Low privileged users are prevented from browsing to pages that perform Administrator functionality using GET, however, functionality can be performed by directly crafting the associated POST request. This can be exploited to modify user accounts, modify the application, etc. Combined with the reported CSRF, CVE-2020-11682, any user of the application can be used to grant Administrator access to a malicious user. ------------------------------- *CVE-2020-11681 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* Credentials are returned in cleartext in the source of the SMTP page. If a malicious user compromises an account. or exploits the CSRF to gain access to the application, the associated SMTP server/account could also be compromised. AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE [image: SecurityMetrics]

Trust: 2.25

sources: NVD: CVE-2020-11682 // JVNDB: JVNDB-2020-006193 // CNVD: CNVD-2021-24901 // PACKETSTORM: 157954

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-24901

AFFECTED PRODUCTS

vendor:castelmodel:nextgen dvrscope:eqversion:1.0.0

Trust: 2.4

sources: CNVD: CNVD-2021-24901 // JVNDB: JVNDB-2020-006193 // NVD: CVE-2020-11682

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-11682
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-006193
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2021-24901
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202006-504
value: MEDIUM

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: TRUE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-006193
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-24901
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

NVD:
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006193
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-24901 // JVNDB: JVNDB-2020-006193 // NVD: CVE-2020-11682 // CNNVD: CNNVD-202006-504

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2020-006193 // NVD: CVE-2020-11682

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-504

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202006-504

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2020-11682

PATCH
title:Digital Video Recorder (DVR)url:http://castle-cctv.kr/digital-video-recorder-dvr/
Trust: 0.8
title:Patch for Castel NextGen DVR cross-site request forgery vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/255916
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-24901 // 
            
            
            
            JVNDB: JVNDB-2020-006193

EXTERNAL IDS
db:PACKETSTORMid:157954
Trust: 3.1
db:NVDid:CVE-2020-11682
Trust: 3.1
db:JVNDBid:JVNDB-2020-006193
Trust: 0.8
db:CNVDid:CNVD-2021-24901
Trust: 0.6
db:CNNVDid:CNNVD-202006-504
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-24901 // 
            
            
            
            JVNDB: JVNDB-2020-006193 // 
            
            
            
            PACKETSTORM: 157954 // 
            
            
            
            NVD: CVE-2020-11682 // 
            
            
            
            CNNVD: CNNVD-202006-504

REFERENCES
url:http://packetstormsecurity.com/files/157954/castel-nextgen-dvr-1.0.0-bypass-csrf-disclosure.html
Trust: 3.6
url:https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf
Trust: 1.7
url:http://seclists.org/fulldisclosure/2020/jun/8
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-11682
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11682
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-11680
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11679>*
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11681>*
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11681
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11680>*
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-11679
Trust: 0.1
url:https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11682>*
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2021-24901 // 
            
            
            
            JVNDB: JVNDB-2020-006193 // 
            
            
            
            PACKETSTORM: 157954 // 
            
            
            
            NVD: CVE-2020-11682 // 
            
            
            
            CNNVD: CNNVD-202006-504

CREDITS
Aaron Bishop
Trust: 0.7
sources:
            
            
            PACKETSTORM: 157954 // 
            
            
            
            CNNVD: CNNVD-202006-504

SOURCES
db:CNVDid:CNVD-2021-24901
db:JVNDBid:JVNDB-2020-006193
db:PACKETSTORMid:157954
db:NVDid:CVE-2020-11682
db:CNNVDid:CNNVD-202006-504

LAST UPDATE DATE
2023-12-18T12:27:28.711000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2021-24901date:2021-04-04T00:00:00
db:JVNDBid:JVNDB-2020-006193date:2020-07-02T00:00:00
db:NVDid:CVE-2020-11682date:2020-06-10T17:51:03.590
db:CNNVDid:CNNVD-202006-504date:2021-01-04T00:00:00

SOURCES RELEASE DATE
db:CNVDid:CNVD-2021-24901date:2021-04-04T00:00:00
db:JVNDBid:JVNDB-2020-006193date:2020-07-02T00:00:00
db:PACKETSTORMid:157954date:2020-06-05T18:19:24
db:NVDid:CVE-2020-11682date:2020-06-04T20:15:11.677
db:CNNVDid:CNNVD-202006-504date:2020-06-04T00:00:00