In a recent security audit, the experts at Positive Research found serious security flaws in Samsung digital video recorder (DVR) software.
The vulnerabilities CWE-313 and CWE-302 in Samsung Web Viewer allow attackers access to internal admin pages used for DVR management. Giving them the ability to steal user credentials and take control of the entire system. These vulnerabilities are located within the device firmware, making them even more difficult to fix due to the lack of automatic firmware updates.
Currently, there is no available patch to fix these vulnerabilities. Therefore, we recommend that all Samsung DVR users restrict the software admin interface via Web Viewer to only trusted networks, and also restrict device access via IP, when possible.
DVR devices operating with Samsung software are in use for security surveillance at many large companies, in various industries around the world.
Details on these vulnerabilities, detected by Positive Research expert Andrey Bezborodov, are available in the CERT Vulnerability Note VU#882286.
This is not the first time Positive Technologies has found security flaws in DVR software. Earlier this spring, our experts uncovered several serious vulnerabilities in digital video recorder software used with closed-circuit TV systems, sold under dozens of brands throughout the world.
To obtain more information on these and other vulnerabilities, please contact us at research@ptsecurity.com.
