The vulnerability can be exploited by injecting malicious PHP code via a web request to the affected device. UDR-JA1004/JA1008/JA1016 are IP camera series digital video recorders that are installed at various locations such as banks, schools and other facilities. In the case of UNIMO Technology, the vulnerability has been assigned the CVE identifier CVE-2017-10272. Reportedly, this issue has been resolved in the latest UDR-JA1008 firmware version v2.2.14.20, released on July 6, 2018, or in the latest UDR-JA1016 firmware version v1.0.23.10, released on May 31, 2018. UNIMO Technology recommends users to update their UDR-JA1004/JA1008/JA1016 digital video recorders to the latest available version to mitigate the risk of exploitation. In the meantime, users can take necessary precautionary measures to avoid being affected by such threats.

Understanding the UNIMO UDR Digital Video Recorder Vulnerability

It has been reported that UNIMO Technology is providing its customers with a security update for the UDR-JA1004/JA1008/JA1016 digital video recorder series. UNIMO Technology released a new firmware version v2.2.14.20, which resolves a vulnerability identified as CVE-2017-10272, on July 6, 2018. Additionally, users of the UDR-JA1004/JA1008/JA1016 digital video recorders are advised to update their devices to the latest available version if they have not done so already. In order to mitigate risk from exploitation of this vulnerability in a web request, UNIMO Technology recommends users to take necessary measures including restricting access to certain IP addresses and protocols when accessing the device’s web interface via LAN or Internet.

The vulnerability can be exploited by injecting malicious PHP code via a web request to the affected device. Reportedly, this issue has been resolved in the latest UDR-JA1008 firmware version v2.2.14.20 and in the latest UDR-JA1016 firmware version v1.0.23.10

Affected UNIMO Technology UDR-JA1004/JA1008/JA1016 Digital Video Recorders

UNIMO Technology Digital Video Recorders UDR-JA1004/JA1008/JA1016 are vulnerable to the attack.
The vulnerability can be exploited by injecting malicious PHP code via a web request to the affected device.
With the vulnerability, an attacker can remotely access any of these digital video recorders, and gain control of them.
This vulnerability is not fixed in any software update released so far by UNIMO Technology.
UNIMO Technology urges users of UNIMO Digital Video Recorders UDR-JA1004/JA1008/JA1016 to update their devices immediately with the latest available firmware version, as it has been reported that this issue has been resolved in the latest v2.2.14.20, released on July 6, 2018, or in the latest 1.0.23.10, released on May 31, 2018.

Introduction

The UDR-JA1004/JA1008/JA1016 digital video recorders are IP camera series digital video recorders installed at various locations such as banks, schools and other facilities. There is a remote code execution vulnerability in the affected devices that was first reported on April 12, 2017 by UNIMO Technology. The UDR-JA1004/JA1008/JA1016 digital video recorders are connected to the internet and can be exploited via web requests. Reportedly, this issue has been resolved in the latest UDR-JA1008 firmware version v2.2.14.20, released on July 6, 2018, or in the latest UDR-JA1016 firmware version v1.0.23.10, released on May 31, 2018.
On June 19th 8:55PM EST, a new vulnerability was discovered which is assigned CVE identifier CVE-2017-10272 and affects the same series of devices as CVE-2017-10272. Reportedly, this issue has also been resolved in the latest UDR-JA1008 firmware version v2.2.14.20 or in the latest UDR-JA1016 firmware version v1.0.23.10 to mitigate risk of exploitation.

Timeline

Published on: 08/23/2022 02:15:00 UTC
Last modified on: 08/26/2022 13:17:00 UTC

References