DESCRIPTION:
NUUO’s network video recorder (NVR) is a Linux embedded video recording system that stores video recordings and acts as a control gateway for admins and remote viewers.
A remote code execution vulnerability (CVE-2019-9653) exists in NUUO’s NVR. It could allow unauthenticated malicious users to execute arbitrary commands as root via shell metacharacters to handle_load_config.php.
AFFECTED RELEASES:
NUUO Network Video Recorder Firmware 1.7.x through 3.3.x
SOLUTION:
1. Please update to the latest firmware version released by the manufacturer at https://www.nuuo.com/DownloadMainpage.php
2. If unable to update, it’s recommended to restrict the access source and prohibit any system commands and incoming special characters from being sent to handle_load_config.php.
REFERENCE:
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9653
2. https://www.nuuo.com/DownloadMainpage.php