External risk intelligence

NUUO NVRmini2 Devices: Unauthorized User and Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-23227

NUUO NVRmini2 devices are affected by a vulnerability allowing unauthorized user creation and code execution. This presents a business risk of system compromise and data access. The vendor has identified the affected product as end-of-life and recommends discontinuing its use.

5Halo Surface Signal

Missing Authentication

Nuuo Nvrmini2 Firmware

3.11.0 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2022-23227

The affected product is a Network Video Recorder (NVR), which is a type of appliance frequently deployed to be internet-accessible for remote surveillance monitoring, management, and video retrieval. Such devices are commonly exposed as edge gateways or portals to facilitate off-site access, making them typically internet-facing by design.

Horizon Alert

Summary of the vulnerability and why it matters

The NUUO NVRmini2 through version 3.11 is vulnerable to an unauthenticated attacker. This vulnerability allows an attacker to upload an encrypted TAR archive, leading to the addition of arbitrary users. If combined with another flaw, this can result in the overwriting of files and code execution with root privileges.

Vulnerable component: NUUO NVRmini2 firmware
Core weakness: Missing authentication for user import
Main business impact: Unauthorized user access and code execution

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit a vulnerability in NUUO NVRmini2 devices. This allows the attacker to upload a specially crafted archive. By combining this with another flaw, the attacker can gain the ability to overwrite arbitrary files and execute code with root privileges. This could lead to a complete compromise of the affected device and potential lateral movement within the network.

Publicly accessible NVRmini2 devices.
Attacker uploads malicious archive.
Attacker achieves code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its high exploitability and potential for severe damage. Attackers with moderate technical skill could exploit this flaw to gain unauthorized access, add administrative users, and ultimately execute arbitrary code on affected systems. This could lead to complete system compromise and potential data theft or manipulation. Given the severity and ease of exploitation, treating this vulnerability with high urgency is recommended.

Likely attacker skill level: Moderate
Required access or conditions: Unauthenticated network access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects NUUO NVRmini2 devices, allowing unauthenticated attackers to upload malicious archives. This can lead to the addition of arbitrary users and the potential for code execution with root privileges. The vendor has indicated the affected product is end-of-life and end-of-service. Organizations should cease using this product.

Identify NUUO NVRmini2 devices.
Discontinue use of the product.
Verify product removal.

Frequently asked questions

What is the NUUO NVRmini2 and what versions are affected by CVE-2022-23227?

The NUUO NVRmini2 is a Network Video Recorder (NVR) for surveillance. Versions up to and including 3.11 are affected by CVE-2022-23227, which allows an unauthenticated attacker to upload a malicious archive.

What type of vulnerability is CVE-2022-23227 and what is its core weakness?

CVE-2022-23227 is a 'Missing Authentication for Critical Function' (CWE-306) vulnerability. The core weakness lies in the lack of authentication for the user import function, allowing unauthorized users to be added.

How can CVE-2022-23227 be exploited to achieve code execution?

An unauthenticated attacker can upload an encrypted TAR archive to an affected NUUO NVRmini2. When combined with another flaw (CVE-2011-5325), this can enable arbitrary file overwrites under the web root and lead to code execution with root privileges.

What is the relevance of CVE-2022-23227 given the product's lifecycle?

NUUO has declared the NVRmini2 product line to be end-of-life and end-of-service. Therefore, the practical response is to discontinue the use of these devices to mitigate the risk posed by this vulnerability.

What is the recommended action for NUUO NVRmini2 devices affected by CVE-2022-23227?

Organizations should identify all NUUO NVRmini2 devices, cease their use immediately, and verify the complete removal of the product from their environment due to its end-of-life status.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.