Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code
Analysis Summary
# Vulnerability: Command Injection in Digiever NVR Allowing Post-Authentication RCE
## CVE Details
- CVE ID: CVE-2023-52163
- CVSS Score: 8.8 (High)
- CWE: Command Injection (Implied by description)
## Affected Systems
- Products: Digiever DS-2105 Pro Network Video Recorders (NVRs)
- Versions: Not explicitly specified, but affects devices running vulnerable firmware.
- Configurations: Requires the attacker to be authenticated/logged into the device.
## Vulnerability Description
This vulnerability is a command injection flaw identified in the `time_tzsetup.cgi` component of the affected NVRs. It stems from a missing authorization check, which, when combined with a crafted request from an authenticated attacker, allows for the execution of arbitrary system commands remotely.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog)
- Complexity: Medium (Requires prior authentication)
- Attack Vector: Adjacent (Implied, requires initial access/authentication)
## Impact
- Confidentiality: Likely High (Remote Code Execution)
- Integrity: Likely High (Remote Code Execution)
- Availability: Likely High (Exploitation observed leading to botnet infection)
## Remediation
### Patches
- No patch information is explicitly provided for CVE-2023-52163, as the product has reached End-of-Life (EoL).
### Workarounds
1. **Network Isolation:** Avoid exposing the device to the internet.
2. **Credential Management:** Change default usernames and passwords immediately.
3. **Discontinuation of Use (Recommended by CISA for FCEB):** Agencies are advised to discontinue use of the product by January 12, 2025, if necessary mitigations cannot be applied.
## Detection
- **Indicators of Compromise (IOCs):** Exploitation observed involved threat actors delivering botnets such as Mirai and ShadowV2. Look for unauthorized network connections or suspicious processes indicative of botnet activity originating from the NVR.
- **Detection Methods and Tools:** Monitor network traffic and device logs for unusual requests targeting the `time_tzsetup.cgi` URI, especially post-authentication.
## References
- CISA KEV Catalog (General Information Source)
- TXOne Research Blog (Technical Details/EoL Status Announcement)
- NVD Entry for CVE-2023-52163 (Defanged Lookup base: nvd.nist.gov/vuln/detail/CVE-2023-52163)