Login Sign Up

CVE-2018-10676

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to download sensitive credential files from multiple DVR brands via direct HTTP requests to the download.rsp URI. Attackers can obtain administrative credentials without authentication, potentially gaining full control of affected devices. Organizations using CeNova, Night OWL, Novo, Pulnix, QSee, Securus, or TBK Vision DVR devices are affected.

💻 Affected Systems

Products:
  • CeNova
  • Night OWL
  • Novo
  • Pulnix
  • QSee
  • Securus
  • TBK Vision
Versions: All versions with the vulnerable download.rsp endpoint
Operating Systems: Embedded Linux-based DVR firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects DVR devices from multiple vendors that share common firmware components. The vulnerability exists in the web interface component.

📦 What is this software?

Tbk Dvr4104 Firmware by Tbkvision

View all CVEs affecting Tbk Dvr4104 Firmware →

Tbk Dvr4216 Firmware by Tbkvision

View all CVEs affecting Tbk Dvr4216 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to DVR systems, disable security features, manipulate video feeds, use devices as network pivots, or deploy ransomware on connected systems.

🟠

Likely Case

Attackers steal administrative credentials, access live video feeds, delete or tamper with recorded footage, and potentially compromise the entire DVR system.

🟢

If Mitigated

With proper network segmentation and access controls, attackers can only access isolated DVR systems without lateral movement to critical infrastructure.

🌐 Internet-Facing: HIGH - DVRs are often exposed to the internet for remote viewing, making them easily discoverable and exploitable by automated scanners.
🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this if DVRs are accessible on the internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only a simple HTTP GET request to download.rsp endpoint. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisories identified

Restart Required: No

Instructions:

No official patch available. Contact device vendors for firmware updates. Consider replacing affected devices with supported models.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DVR devices on separate VLANs with strict firewall rules blocking external access

Web Interface Disable

all

Disable the web interface if remote access is not required

🧯 If You Can't Patch

  • Implement strict network access controls allowing only trusted IP addresses to access DVR web interfaces
  • Change all default credentials and implement strong password policies for DVR administrative accounts

🔍 How to Verify

Check if Vulnerable:

Attempt HTTP GET request to http://[DVR_IP]/download.rsp and check if credential files are returned

Check Version:

Check device firmware version via web interface or serial console (vendor-specific)

Verify Fix Applied:

Verify download.rsp endpoint no longer returns sensitive files or returns access denied errors

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to /download.rsp from unusual IP addresses
  • Multiple failed login attempts following download.rsp access

Network Indicators:

  • Unusual outbound connections from DVR devices
  • Traffic patterns indicating credential exfiltration

SIEM Query:

source_ip=* dest_ip=[DVR_IP] uri_path="/download.rsp" http_method=GET

📊 Metadata

CVE ID: CVE-2018-10676
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 2, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON