CVE-2018-9995

Name of the Vulnerable Software and Affected Versions TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login

Description The issue allows remote attackers to bypass authentication via a "Cookie: uid=admin" header. This can be demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response. Exploitation of this issue may allow a remote attacker to bypass security restrictions and gain unauthorized access to protected information by sending a specially crafted request. There has been a spike in attacks against TBK DVR devices.

Recommendations For TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, consider disabling the uid=admin header in the Cookie to prevent authentication bypass until a patch is available. As a temporary workaround, restrict access to the device.rsp?opt=user&cmd=list endpoint to minimize the risk of exploitation. Avoid using the uid variable in the Cookie header in the affected devices until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.