CVE-2013-1391

Q: What is the severity of CVE-2013-1391?

CVE-2013-1391 has a CVSS score of 7.5 (HIGH). This CVE describes an authentication bypass vulnerability in multiple CCTV/DVR systems that allows remote attackers to retrieve device configuration without valid credentials. Attackers can access sensitive configuration data including passwords, network settings, and system information. Affected systems include Hunt CCTV, Capture CCTV, Hachi CCTV, NoVus CCTV, and Well-Vision Inc DVR devices.

7.5 HIGH

Authentication Bypass

📋 TL;DR

This CVE describes an authentication bypass vulnerability in multiple CCTV/DVR systems that allows remote attackers to retrieve device configuration without valid credentials. Attackers can access sensitive configuration data including passwords, network settings, and system information. Affected systems include Hunt CCTV, Capture CCTV, Hachi CCTV, NoVus CCTV, and Well-Vision Inc DVR devices.

💻 Affected Systems

Products:

Hunt CCTV
Capture CCTV
Hachi CCTV
NoVus CCTV
Well-Vision Inc DVR systems

Versions: Unknown specific versions - likely multiple versions prior to 2013

Operating Systems: Embedded Linux-based DVR firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web interface of DVR systems. Many of these devices were rebranded versions of the same underlying hardware/software.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to reconfigure devices, disable security features, access live video feeds, or use devices as pivot points into internal networks.

🟠

Likely Case

Configuration theft leading to credential harvesting, network reconnaissance, and potential unauthorized access to video surveillance systems.

🟢

If Mitigated

Limited exposure of configuration data without ability to modify settings or access video streams.

🌐 Internet-Facing: HIGH - These devices are often exposed to the internet for remote monitoring, making them easily discoverable and exploitable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to gain unauthorized access to surveillance infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module available (auxiliary/scanner/misc/dvr_config_disclosure). Simple HTTP request to specific endpoint bypasses authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider replacing affected devices with supported models from reputable vendors.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DVR systems from internet and restrict access to authorized networks only

Access Control Lists

linux

Implement firewall rules to restrict access to DVR web interfaces

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Disable remote web interface access and require VPN for management
Change all default credentials and implement strong password policies

🔍 How to Verify

Check if Vulnerable:

Use Metasploit module: use auxiliary/scanner/misc/dvr_config_disclosure, set RHOSTS, run. Or manually test HTTP GET to /device.rsp?opt=user&cmd=list

Check Version:

Check device web interface or physical labels for firmware version information

Verify Fix Applied:

Test the exploit against the device - if configuration data is no longer accessible without authentication, the workaround is effective

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /device.rsp with opt=user&cmd=list parameters
Unauthenticated access to configuration endpoints
Multiple failed login attempts followed by configuration access

Network Indicators:

HTTP GET requests to DVR web interface from unexpected sources
Traffic to known vulnerable DVR ports (80, 8080, etc.) from scanning IPs

SIEM Query:

source="dvr_web_logs" AND (uri="/device.rsp" AND query="opt=user&cmd=list") AND NOT (user_agent="browser_user_agent")

📊 Metadata

CVE ID: CVE-2013-1391

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-287

Published: October 30, 2019

Last Updated: November 21, 2024

🔗 References

http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html Exploit,Third Party Advisory
https://www.rapid7.com/db/modules/auxiliary/scanner/misc/dvr_config_disclosure Third Party Advisory
https://www.securityfocus.com/bid/57579/info Exploit,Third Party Advisory,VDB Entry
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html Exploit,Third Party Advisory
https://www.rapid7.com/db/modules/auxiliary/scanner/misc/dvr_config_disclosure Third Party Advisory
https://www.securityfocus.com/bid/57579/info Exploit,Third Party Advisory,VDB Entry

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cdr 0410ve Firmware by Capturecctv

Cdr 0820vde Firmware by Capturecctv

Dr6 704a4h Firmware by Huntcctv

Dr6 708a4h Firmware by Huntcctv

Dr6 7316a4h Firmware by Huntcctv

Dr6 7316a4hl Firmware by Huntcctv

Dvr 04ch Firmware by Huntcctv

Dvr 04nc Firmware by Huntcctv

Dvr 08ch Firmware by Huntcctv

Dvr 08nc Firmware by Huntcctv

Dvr 16ch Firmware by Huntcctv

Hdr 04kd Firmware by Huntcctv

Hdr 08kd Firmware by Huntcctv

Hv 04rd Pro Firmware by Hachi

Hv 08rd Pro Firmware by Hachi

Nv Dvr1204 Firmware by Novuscctv

Nv Dvr1208 Firmware by Novuscctv

Nv Dvr1216 Firmware by Novuscctv

Tw Dvr604 Firmware by Vsp

Tw Dvr616 Firmware by Vsp