Details of VAR-202006-0043

ID

VAR-202006-0043

CVE

CVE-2020-11680

TITLE

Castel NextGen DVR Unauthorized authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006191

DESCRIPTION

Castel NextGen DVR v1.0.0 is vulnerable to authorization bypass on all administrator functionality. The application fails to check that a request was submitted by an administrator. Consequently, a normal user can perform actions including, but not limited to, creating/modifying the file store, creating/modifying alerts, creating/modifying users, etc. Attackers can use this vulnerability to create/modify file libraries, create/modify users, etc. All issues are associated with *Castel NextGen DVR v1.0.0 *and have been resolved in v1.0.1*.* ------------------------------- *CVE-2020-11679 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* A low privileged user can call functionality reserved for an Administrator which promotes a low privileged account to the Administrator role: POST /Administration/Users/Edit/:ID HTTP/1.1 > Host: $RHOST > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Cookie: $REVIEWER_COOKIES > DNT: 1 > Connection: close > Upgrade-Insecure-Requests: 1 > Content-Type: application/x-www-form-urlencoded > Content-Length: 349 > UserId=:ID&Email=bypass%40test.com > &FirstName=bypass&LastName=bypass&LDAPUser=false > > &Roles%5B0%5D.RoleId=1&Roles%5B0%5D.IsSelected=true&Roles%5B0%5D.IsSelected=false > > &Roles%5B1%5D.RoleId=3&Roles%5B1%5D.IsSelected=true&Roles%5B1%5D.IsSelected=false > > &Roles%5B2%5D.RoleId=5&Roles%5B2%5D.IsSelected=true&Roles%5B2%5D.IsSelected=false > &Locked=false ------------------------------- *CVE-2020-11680 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11680>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* The application does not perform an authorization check before functionality is performed. Low privileged users are prevented from browsing to pages that perform Administrator functionality using GET, however, functionality can be performed by directly crafting the associated POST request. This can be exploited to modify user accounts, modify the application, etc. Combined with the reported CSRF, CVE-2020-11682, any user of the application can be used to grant Administrator access to a malicious user. ------------------------------- *CVE-2020-11681 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681>* *Original Disclosure* https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass *Description* Credentials are returned in cleartext in the source of the SMTP page. If a malicious user compromises an account. or exploits the CSRF to gain access to the application, the associated SMTP server/account could also be compromised. ------------------------------- *CVE-2020-11682 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11682>* *Original Disclosure* https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf *Description* The application does not properly prevent CSRF; the __RequestVerificationToken, which is included with state changing requests, is not verified by the application - requests are successful even when the token is removed. AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE [image: SecurityMetrics]

Trust: 2.25

sources: NVD: CVE-2020-11680 // JVNDB: JVNDB-2020-006191 // CNVD: CNVD-2021-24899 // PACKETSTORM: 157954

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-24899

AFFECTED PRODUCTS

vendor:

castel

model:

nextgen dvr

scope:

version:

1.0.0

Trust: 2.4

sources: CNVD: CNVD-2021-24899 // JVNDB: JVNDB-2020-006191 // NVD: CVE-2020-11680

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-11680
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-006191
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-24899
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202006-502
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-11680
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-006191
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-24899
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-11680
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-006191
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-24899 // JVNDB: JVNDB-2020-006191 // CNNVD: CNNVD-202006-502 // NVD: CVE-2020-11680

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	CWE-863	Trust: 0.8

sources: JVNDB: JVNDB-2020-006191 // NVD: CVE-2020-11680

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-502

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202006-502

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006191

PATCH

title:	Digital Video Recorder (DVR)	url:	http://castle-cctv.kr/digital-video-recorder-dvr/	Trust: 0.8
title:	Patch for Castel NextGen DVR security bypass vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/255926	Trust: 0.6
title:	Castel NextGen DVR Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=120744	Trust: 0.6

sources: CNVD: CNVD-2021-24899 // JVNDB: JVNDB-2020-006191 // CNNVD: CNNVD-202006-502

EXTERNAL IDS

db:	PACKETSTORM	id:	157954	Trust: 3.1
db:	NVD	id:	CVE-2020-11680	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-006191	Trust: 0.8
db:	CNVD	id:	CNVD-2021-24899	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-502	Trust: 0.6

sources: CNVD: CNVD-2021-24899 // JVNDB: JVNDB-2020-006191 // PACKETSTORM: 157954 // CNNVD: CNNVD-202006-502 // NVD: CVE-2020-11680

REFERENCES

url:	http://packetstormsecurity.com/files/157954/castel-nextgen-dvr-1.0.0-bypass-csrf-disclosure.html	Trust: 3.6
url:	https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2020/jun/8	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11680	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11680	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11679>*	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11681>*	Trust: 0.1
url:	https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11681	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11680>*	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11679	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11682	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11682>*	Trust: 0.1

sources: CNVD: CNVD-2021-24899 // JVNDB: JVNDB-2020-006191 // PACKETSTORM: 157954 // CNNVD: CNNVD-202006-502 // NVD: CVE-2020-11680

CREDITS

Aaron Bishop

Trust: 0.7

sources: PACKETSTORM: 157954 // CNNVD: CNNVD-202006-502

SOURCES

db:	CNVD	id:	CNVD-2021-24899
db:	JVNDB	id:	JVNDB-2020-006191
db:	PACKETSTORM	id:	157954
db:	CNNVD	id:	CNNVD-202006-502
db:	NVD	id:	CVE-2020-11680

LAST UPDATE DATE

2024-11-23T21:35:48.886000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-24899	date:	2021-04-04T00:00:00
db:	JVNDB	id:	JVNDB-2020-006191	date:	2020-07-02T00:00:00
db:	CNNVD	id:	CNNVD-202006-502	date:	2021-01-04T00:00:00
db:	NVD	id:	CVE-2020-11680	date:	2024-11-21T04:58:23.167

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-24899	date:	2021-04-04T00:00:00
db:	JVNDB	id:	JVNDB-2020-006191	date:	2020-07-02T00:00:00
db:	PACKETSTORM	id:	157954	date:	2020-06-05T18:19:24
db:	CNNVD	id:	CNNVD-202006-502	date:	2020-06-04T00:00:00
db:	NVD	id:	CVE-2020-11680	date:	2020-06-04T19:15:12.773