CVE-2022-25569

Vulnerability

Bettini Srl's GAMS product line, running SGSetup prior to v4.4.0, contains a hard-coded RSA private key used for SSH authentication [1]. The software does not generate unique keys per installation, reusing the same static key across all devices [1]. An attacker can extract the private key from the SGSetup client software via reverse engineering [1]. Affected versions include SGSetup up to v4.3.0 [1].

Exploitation

The SGSetup client initiates an SSH connection to the DVR/NVR device without prompting for credentials, using the embedded private key [1]. An unauthenticated attacker with network access to the device can extract the key by analyzing the client binary (e.g., using a disassembler and debugger) [1]. The extracted key can then be used to directly SSH into the device as the root user [1]. No authentication or user interaction is required beyond network connectivity [1].

Impact

Successful exploitation grants the attacker full root shell access to the vulnerable DVR/NVR device [1]. This results in complete compromise of confidentiality, integrity, and availability: the attacker can read, modify, or delete all files, reconfigure the device, stop video streams, and potentially pivot to other networks [1].

Mitigation

Bettini released a firmware update to address the issue; SGSetup version 4.4.0 and later are not vulnerable [1]. Users should upgrade to the latest firmware [1]. As a workaround, avoid exposing the DVR/NVR SSH or web interfaces to the internet [1]. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog at the time of publication.