Firmware used in up to 800,000 CCTV cameras open to attack thanks to buffer overflow zero-day bug.

Between 180,000 and 800,000 IP-based closed-circuit television cameras are vulnerable to a zero-day vulnerability that allows hackers to access surveillance cameras, spy on and manipulate video feeds or plant malware.

According to a Tenable Research Advisory issued Monday, the bugs are rated critical and tied to firmware possibly used in one of 100 different cameras that run the affected software. NUUO, the Taipei, Taiwan-base company that makes the firmware, is expected to issue a patch for the bug Tuesday. The company lists over a 100 different partners including Sony, Cisco Systems, D-Link and Panasonic. It’s unclear how many OEM partners may use the vulnerable firmware.

The vulnerabilities (CVE-2018-1149, CVE-2018-1150), dubbed Peekaboo by Tenable, are tied to the software’s NUUO NVRMini2 webserver software.

“Once exploited, Peekaboo would give cybercriminals access to the control management system, exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage,” researchers said.

Last year, the Reaper Botnet, a variant of the Mirai botnet, also targeted NUUO NVR devices, according to Tenable. These most recent vulnerabilities similarly open cameras up to similar botnet attacks.

The first vulnerability (CVE-2018-1149) is the zero-day. Attacker can sniff out affected gear using a tool such as Shodan. Next, the attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI), which acts as the gateway between a remote user and the web server. According to researchers, the attack involves delivering a cookie file too large for the CGI handle. The CGI then doesn’t validate user’s input properly, allowing them to access the web server portion of the camera. “[A] malicious attackers can trigger stack overflow in session management routines in order to execute arbitrary code,” Tenable wrote.

The second bug (CVE-2018-1150) takes advantage of a backdoor functionality in the NUUO NVRMini2 web server. “[The] back door PHP code (when enabled) allows unauthenticated attacker to change a password for any registered user except administrator of the system,” researchers said.

NUUO’s fix includes version 3.9.1 (03.09.0001.0000) or later. According to Tenable, NUUO was notified in June of the vulnerability. Under Tenable’s notification and disclosure policies it gave NUUO 105 days to issue a patch before publicly disclosing the bugs.

“It’s unfortunate, but each camera will need to be updated manually by users,” said Renaud Deraison, co-founder and CTO of Tenable in an interview with Threatpost.

“We believe vulnerable IoT devices such as these raise serious questions about how we as an industry can manage large numbers of devices. Even in a corporate environment, if the number of connected devices grows at the forecasted rate, we are going to need to rethink our patching cadence and methodology,” Deraison said.

NUUO did not return email requests for comment for this story.