CVE-2024-14007: Critical Authentication Bypass in TVT NVMS-9000 Exposes Sensitive Data

Overview

CVE-2024-14007 describes a critical authentication bypass vulnerability affecting Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware versions prior to 1.3.4. This firmware is often used in various white-labeled DVR/NVR/IPC (Digital Video Recorder/Network Video Recorder/IP Camera) products. The vulnerability resides in the NVMS-9000 control protocol, allowing an unauthenticated remote attacker to execute privileged administrative query commands by sending a specially crafted TCP payload to an exposed control port.

Technical Details

The NVMS-9000 control protocol lacks proper authentication mechanisms. By sending a specifically crafted TCP packet to the designated control port (typically port 8000 or a similar port), an attacker can bypass the authentication process and invoke administrative query commands. The crafted packet exploits a flaw in the protocol’s handling of command requests, enabling the attacker to impersonate an authenticated administrator.

Successful exploitation allows the attacker to execute sensitive commands such as queryBasicCfg, queryUserList, queryEmailCfg, queryPPPoECfg, and queryFTPCfg. These commands disclose sensitive information, including:

• Administrator usernames and passwords (in cleartext)
• Network and service configurations
• Email server settings
• PPPoE configuration details
• FTP server settings
• Other device details

CVSS Analysis

Currently, the CVE does not have official CVSS score. However, given the nature of the vulnerability (authentication bypass and sensitive information disclosure, which including admin passwords), it is likely to be a Critical severity rating based on the CVSS scoring.

Possible Impact

The exploitation of CVE-2024-14007 can have severe consequences:

• Full System Compromise: Attackers gain access to administrator credentials, enabling complete control over the affected device.
• Data Breach: Sensitive information, including user credentials and network configurations, is exposed to unauthorized parties.
• Malware Infection: Compromised devices can be used as bots in botnets or infected with malware.
• Denial of Service (DoS): Attackers can disrupt or disable the functionality of the DVR/NVR/IPC.
• Lateral Movement: If the affected device is connected to a network, attackers can use it as a stepping stone to compromise other systems.
• Privacy Violation: Access to camera feeds can lead to severe privacy breaches.

Mitigation and Patch Steps

To mitigate the risks associated with CVE-2024-14007, the following steps are recommended:

• Upgrade Firmware: Upgrade the NVMS-9000 firmware to version 1.3.4 or later. This version contains a patch for the authentication bypass vulnerability.
• Network Segmentation: Isolate the DVR/NVR/IPC on a separate network segment to limit the impact of a potential compromise.
• Firewall Configuration: Restrict access to the NVMS-9000 control port (typically port 8000 or similar) by implementing firewall rules that only allow trusted IP addresses to connect.
• Disable Port Forwarding: Avoid exposing the NVMS-9000 control port directly to the internet by disabling port forwarding on your router.
• Strong Passwords: Enforce the use of strong, unique passwords for all user accounts on the device. Regularly change passwords.
• Monitor Network Traffic: Monitor network traffic for suspicious activity, such as unauthorized access attempts to the NVMS-9000 control port.

References

• SSD Disclosure Advisory
• Eleven11 Botnet Mirai Variant Targeting NVMS-9000 Devices
• GreyNoise Blog: Surge Exploitation Attempts TVT DVRs
• VulnCheck Advisory: TVT NVMS9000 Unauthenticated Admin Queries and Information Disclosure