External risk intelligence

Amcrest Camera and NVR Buffer Overflow Vulnerability

CVE advisoryKnown Exploit

CVE-2020-5735

Amcrest cameras and NVRs contain a buffer overflow vulnerability. An authenticated remote attacker can exploit this to crash devices or execute arbitrary code. This impacts system availability and data integrity, posing a business risk.

4Halo Surface Signal

Out-of-bounds Write

Amcrest 1080 Lite 8ch Firmware

before v2.420.ac00.18.r.20200217before v2.800.0000000.6.r.200314before v2.623.00ac004.0.r.200316before v2.622.00ac000.0.r.200320before v2.800.00ac000.0.r.200330

External exposure likelihood

Halo Surface Signal score for CVE-2020-5735

The affected devices are IP cameras and NVRs, which are commonly deployed as network-accessible appliances. While often placed behind routers, these devices frequently have their specific management or streaming ports (like 37777) forwarded or exposed directly to the internet to facilitate remote monitoring and access, making them a common target for internet-based discovery and interaction.

Horizon Alert

Summary of the vulnerability and why it matters

Amcrest cameras and Network Video Recorders are affected by a critical vulnerability. This flaw allows an authenticated remote attacker to potentially crash the device and execute arbitrary code, impacting system availability and data integrity. The vulnerability exists in the device's handling of network traffic.

Vulnerable Amcrest cameras and NVRs
Buffer overflow flaw
Potential system crash and code execution

Attack Path

How an attacker could exploit the issue

This vulnerability affects Amcrest cameras and NVRs, allowing unauthorized access to crash the device or execute arbitrary code. Attackers can exploit this by sending specially crafted data over a specific network port. This could lead to a denial of service or a compromise of the device's control.

Network port exposure required
Authenticated remote attacker access
Triggering buffer overflow leads to control

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability in Amcrest devices could allow attackers to disrupt operations by crashing devices or potentially executing unauthorized code. This could impact the availability and integrity of video surveillance systems, posing a business risk. The vulnerability is accessible remotely and does not require special conditions beyond network access.

Likely attacker skill: Moderate
Required access: Network access, authenticated
Business risk: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Amcrest cameras and Network Video Recorders (NVRs) have a vulnerability that could allow an authenticated remote attacker to crash the device or execute arbitrary code. This issue exists on port 37777 and affects multiple Amcrest device models and firmware versions. Understanding the scope of affected assets is the critical first step in addressing this risk.

Identify all Amcrest devices within the organization's network.
Reduce exposure or isolate risk.
Apply vendor fixes and validate.
Monitor for related issues.

Frequently asked questions

What is the primary weakness exploited in Amcrest cameras and NVRs by CVE-2020-5735?

CVE-2020-5735 exploits a stack-based buffer overflow weakness, also categorized as an out-of-bounds write. This occurs due to improper input validation in the network service that handles communications over port 37777. An attacker can send a malformed packet that overflows the buffer, potentially leading to device instability or code execution.

How can an attacker trigger the vulnerability in Amcrest devices?

An attacker must first authenticate to the Amcrest device. Once authenticated, they can send a specially crafted network packet to port 37777. This packet contains an oversized payload designed to overflow a stack buffer, exploiting the vulnerability. The attack can be initiated remotely over the network.

What is the relevance of CVE-2020-5735, considering Halo's Surface Signal?

CVE-2020-5735 is rated with a Surface Signal score of 4 (Likely). This indicates a significant threat because affected devices (IP cameras and NVRs) are network-accessible appliances. While often behind routers, their management or streaming ports, such as port 37777, are frequently exposed or forwarded for remote access, making them common targets for internet-based attacks.

What are the practical steps to address the CVE-2020-5735 vulnerability?

Organizations should prioritize updating firmware on all affected Amcrest devices to the latest available versions. Additionally, restricting network access to port 37777 via firewall rules can limit exposure. Isolating IoT and camera devices on a separate network segment, away from critical systems, is also a recommended security practice. Changing default credentials on these devices is also advised.

What kind of impact can CVE-2020-5735 have on Amcrest devices?

Successful exploitation of this vulnerability can lead to a denial-of-service condition by crashing the device. In some cases, it may also allow an authenticated remote attacker to execute arbitrary code on the affected camera or NVR. This impacts the confidentiality, integrity, and availability of the surveillance system.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.