Outbreak Alert: TBK DVR Authentication Bypass Attack
| Description | This outbreak alert on TBK DVR covers vulnerability that is Authentication Bypass Attack.
CVE-2018-9995 is a critical vulnerability in TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
This article describes the assessment of Authentication Bypass vulnerability in TBK DVR software. |
| Scope | FortiDAST Scripting Engine updated in version 24.3 |
| Solution | Detection against that vulnerability is empowered by the FortiDAST Scripting Engine (FSE).
This technology enables FortiDAST to assess remotely with a high level of confidence if an asset is vulnerable to a specific vulnerability by testing the disarmed exploit against the asset itself.
To configure the scan, it will be necessary to enable the FSE group signature 'tbk-vision' which will select the underlying script as per the scan requirement: 'CVE-2018-9995 TBK DVR4104 DVR4216 credential leak vulnerability.'
For reference, a step-by-step guide on how to configure FortiDAST to trigger FSE can be found on Fortinet’s blog: |