CVE-2022-26259 – A buffer overflow vulnerability in Xiongmai DVR... (How to Fix)

Q: What is the severity of CVE-2022-26259?

CVE-2022-26259 has a CVSS score of 7.8 (HIGH). A buffer overflow vulnerability in Xiongmai DVR devices allows attackers to cause Denial of Service (DoS) via specially crafted RTSP requests. This affects multiple Xiongmai DVR models used in surveillance systems. Attackers can crash devices remotely without authentication.

📋 TL;DR

A buffer overflow vulnerability in Xiongmai DVR devices allows attackers to cause Denial of Service (DoS) via specially crafted RTSP requests. This affects multiple Xiongmai DVR models used in surveillance systems. Attackers can crash devices remotely without authentication.

💻 Affected Systems

Products:

NBD80X16S-KL
NBD80X09S-KL
NBD80X08S-KL
NBD80X09RA-KL
AHB80X04R-MH
AHB80X04R-MH-V2
AHB80X04-R-MH-V3
AHB80N16T-GS
AHB80N32F4-LME
NBD90S0VT-QW

Versions: All versions prior to vendor patch

Operating Systems: Embedded Linux systems on Xiongmai DVRs

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with RTSP service enabled (default in most configurations) are vulnerable. RTSP is commonly used for video streaming.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device crash requiring physical reboot, permanent device damage, or potential remote code execution leading to full system compromise.

🟠

Likely Case

Device becomes unresponsive and requires manual reboot, disrupting surveillance monitoring until restored.

🟢

If Mitigated

Minimal impact if devices are behind firewalls with restricted RTSP access and have network segmentation.

🌐 Internet-Facing: HIGH - Devices exposed to internet are directly vulnerable to remote DoS attacks via RTSP protocol.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can exploit this via RTSP access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in referenced blog posts. RTSP is unauthenticated by default on these devices.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for specific firmware versions

Vendor Advisory: https://www.xiongmaitech.com/en/index.php/service/notice_info/51/2

Restart Required: Yes

Instructions:

1. Check vendor advisory for affected models. 2. Download latest firmware from Xiongmai support portal. 3. Upload firmware via device web interface. 4. Reboot device after update.

🔧 Temporary Workarounds

Block RTSP External Access

linux

Restrict RTSP (port 554) access to trusted networks only using firewall rules.

iptables -A INPUT -p tcp --dport 554 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 554 -j DROP

Disable RTSP Service

all

Turn off RTSP streaming service if not required for operations.

🧯 If You Can't Patch

Segment DVR devices on isolated network VLAN with no internet access
Implement network monitoring for RTSP protocol anomalies and DoS attempts

🔍 How to Verify

Check if Vulnerable:

Check device model against affected list and test with known exploit payloads in controlled environment.

Check Version:

Check via device web interface under System Information or via SSH if available: cat /proc/version

Verify Fix Applied:

Verify firmware version is updated to latest from vendor and test RTSP service with malformed requests.

📡 Detection & Monitoring

Log Indicators:

Device crash/reboot logs
RTSP service failure messages
Memory allocation errors in system logs

Network Indicators:

Abnormal RTSP traffic patterns
Multiple malformed RTSP requests to port 554
Sudden loss of device connectivity

SIEM Query:

source="firewall" dest_port=554 AND (payload_size>threshold OR pattern="malformed_rtsp")

📊 Metadata

CVE ID: CVE-2022-26259

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: March 28, 2022

Last Updated: November 21, 2024

🔗 References

https://blog.ret2.me/post/2022-01-26-exploiting-xiongmai-dvrs/ Exploit,Third Party Advisory
https://www.xiongmaitech.com/en/index.php/service/notice_info/51/2 Vendor Advisory
https://blog.ret2.me/post/2022-01-26-exploiting-xiongmai-dvrs/ Exploit,Third Party Advisory
https://www.xiongmaitech.com/en/index.php/service/notice_info/51/2 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26259, you might also want to check these: