Exploited in the Wild: The Alarming Hitron DVR Vulnerabilities

In a concerning development in the realm of cybersecurity, the Akamai Security Intelligence Response Team (SIRT) has uncovered a series of critical vulnerabilities in various Hitron DVR models. These vulnerabilities, collectively identified under CVE IDs ranging from CVE-2024-22768 to CVE-2024-23842, have opened a backdoor for attackers to exploit these devices, predominantly used in surveillance systems.

The crux of the issue lies in the ability of these vulnerabilities to permit authenticated attackers to execute OS command injections through the management interface of these DVRs.

The vulnerability within Hitron was identified in the wild and has been given the following CVE IDs:

• • CVE-2024-22768 (CVSS 7.4) Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
  • CVE-2024-22769 (CVSS 7.4) Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
  • CVE-2024-22770(CVSS 7.4) Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
  • CVE-2024-22771 (CVSS 7.4) Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
  • CVE-2024-22772 (CVSS 7.4) Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
  • CVE-2024-23842 (CVSS 7.4) Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.

Exploitation attempts observed involved attackers using default device credentials to carry out their attacks. This method of attack not only compromises the security of the surveillance system but also poses a broader risk to the network it’s connected to.

“Akamai SIRT analysts noticed a surge in activity to our honeypots that targeted a rarely abused TCP port. The probes were of low frequency and appeared to first attempt an authentication via a POST request to /cgi-bin/system_ntp.cgi (Figure 1) followed by a command injection exploitation attempt (Figure 2).  The devices targeted are Hitron Systems DVR devices that are vulnerable to RCE via command injection (Figure 3). Once authenticated, the attacker targets the command injection vulnerability in the timeserver parameter via a POST request to /cgi-bin/system_ntp.cgi,” the researcher wrote.

The affected DVR models range from the HVR-4781 to the LGUVR-16H, covering firmware versions from 1.03 to 4.02. In response, Hitron Systems has released new firmware versions (≥ 4.03) to address these vulnerabilities. Users are strongly urged to update their devices to these latest versions immediately.

• HVR-4781: version 4.03
• HVR-8781: version 4.03
• HVR-16781: version 4.03
• LGUVR-4H: version 4.03
• LGUVR-8H: version 4.03
• LGUVR-16H: version 4.03

The discovery of these vulnerabilities serves as a stark reminder of the importance of cybersecurity in the increasingly connected world of IoT devices. It highlights the need for continuous vigilance, regular updates, and robust security protocols to safeguard against such vulnerabilities. As attackers continue to evolve their methods, the onus is on both manufacturers and users to stay ahead in the cybersecurity game.