CVE-2021-41506 – This CVE describes a critical backdoor vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-41506?

CVE-2021-41506 has a CVSS score of 9.8 (CRITICAL). This CVE describes a critical backdoor vulnerability in multiple Xiaongmai DVR/NVR/IP camera models and firmware versions. The vulnerability exists due to hardcoded static root account credentials in the macGuarder and dvrHelper binaries, allowing attackers to gain complete system control. Affected systems include various Xiaongmai hardware models running specific vulnerable firmware versions.

📋 TL;DR

This CVE describes a critical backdoor vulnerability in multiple Xiaongmai DVR/NVR/IP camera models and firmware versions. The vulnerability exists due to hardcoded static root account credentials in the macGuarder and dvrHelper binaries, allowing attackers to gain complete system control. Affected systems include various Xiaongmai hardware models running specific vulnerable firmware versions.

💻 Affected Systems

Products:

Xiaongmai AHB7008T-MH-V2
AHB7804R-ELS
AHB7804R-MH-V2
AHB7808R-MS-V2
AHB7808R-MS
AHB7808T-MS-V2
AHB7804R-LMS
HI3518_50H10L_S39

Versions: V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R11.Nat.20170301, V4.02.R12.Nat.OnvifS.20170727

Operating Systems: Embedded Linux systems on affected devices

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the listed firmware versions are vulnerable by default due to hardcoded credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to gain root access, install malware, exfiltrate video feeds, pivot to internal networks, or render devices inoperable.

🟠

Likely Case

Unauthorized access to video surveillance systems, privacy violations, potential ransomware deployment, and use of devices as botnet nodes.

🟢

If Mitigated

Limited impact if devices are isolated in secure network segments with strict access controls and monitoring.

🌐 Internet-Facing: HIGH - Devices exposed to the internet are trivially exploitable with public tools.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit tools exist (hisilicon-dvr-telnet) that allow trivial exploitation. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for latest firmware updates

Vendor Advisory: https://www.xiongmaitech.com/en/index.php/news/info/12/68

Restart Required: Yes

Instructions:

1. Visit vendor advisory URL. 2. Identify your device model. 3. Download latest firmware. 4. Follow vendor's firmware update procedure. 5. Reboot device after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate VLANs with strict firewall rules preventing external access.

Disable Unnecessary Services

linux

Disable Telnet and other unnecessary network services if not required for operation.

telnetd stop
killall telnetd

🧯 If You Can't Patch

Immediately remove affected devices from internet-facing networks
Implement strict network access controls allowing only necessary traffic from trusted sources

🔍 How to Verify

Check if Vulnerable:

Attempt to connect via Telnet to port 23 using known hardcoded credentials from exploit tools. If connection succeeds, device is vulnerable.

Check Version:

Check device web interface or use vendor-specific CLI commands to display firmware version

Verify Fix Applied:

After firmware update, attempt Telnet connection with previously working credentials. Connection should fail.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful Telnet logins
Unexpected root user logins via Telnet

Network Indicators:

Telnet connections from unexpected sources
Unusual outbound traffic from DVR/NVR devices

SIEM Query:

source="*dvr*" OR source="*nvr*" AND (event="telnet" OR port=23) AND (user="root" OR auth_success=true)

📊 Metadata

CVE ID: CVE-2021-41506

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: June 30, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Snawoot/hisilicon-dvr-telnet Third Party Advisory
https://github.com/tothi/hs-dvr-telnet Third Party Advisory
https://habr.com/en/post/486856/ Exploit,Third Party Advisory
https://www.xiongmaitech.com/en/index.php/news/info/12/68 Vendor Advisory
https://github.com/Snawoot/hisilicon-dvr-telnet Third Party Advisory
https://github.com/tothi/hs-dvr-telnet Third Party Advisory
https://habr.com/en/post/486856/ Exploit,Third Party Advisory
https://www.xiongmaitech.com/en/index.php/news/info/12/68 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41506, you might also want to check these: