PT-2016-6633 · NetGear+1 · Netgear Readynas Surveillance+2
Pedro Ribeiro
·
Published
2016-08-31
·
Updated
2017-09-03
·
CVE-2016-5677
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
NUUO NVRmini 2 versions 1.7.5 through 3.0.0
NUUO NVRsolo versions 1.0.0 through 3.0.0
NETGEAR ReadyNAS Surveillance versions 1.1.1 through 1.4.1
Description
The issue allows remote attackers to obtain sensitive information due to a hardcoded password for the nuuoeng account. This can be exploited via an nvr status .php request.
Recommendations
For NUUO NVRmini 2 versions 1.7.5 through 3.0.0, consider changing the hardcoded password for the nuuoeng account.
For NUUO NVRsolo versions 1.0.0 through 3.0.0, consider changing the hardcoded password for the nuuoeng account.
For NETGEAR ReadyNAS Surveillance versions 1.1.1 through 1.4.1, consider changing the hardcoded password for the nuuoeng account.
As a temporary workaround, consider restricting access to the nvr status .php endpoint until a patch is available.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netgear Readynas Surveillance
Nuuo Nvrmini 2
Nuuo Nvrsolo