CVE-2016-6536

Vulnerability

The /setup URI on AVer Information EH6108H+ hybrid DVR devices running firmware version X9.03.24.00.07l (and possibly earlier) contains an authentication bypass vulnerability [1]. The page relies on a handle parameter that is assumed to be immutable, but an attacker can guess or brute-force this value to bypass intended page-access restrictions [1].

Exploitation

An unauthenticated attacker with network access to the device can exploit this vulnerability by guessing the handle parameter value of the /setup page [1]. No prior authentication or user interaction is required. The attacker can attempt to enumerate possible handle values until a valid one is found [1].

Impact

Successful exploitation allows the attacker to access restricted pages, alter DVR configurations, and change user passwords [1]. Combined with other vulnerabilities in the same device (hard-coded credentials and insecure credential storage), this can lead to complete compromise of the DVR system [1].

Mitigation

As of the publication date (2016-09-19), no firmware update or patch has been disclosed in the available references [1]. Users are advised to contact AVer Information for remediation guidance. If no fix is available, consider isolating the device on a restricted network segment [1].