Skip to content
Genie Products
Account
Basket
Cyber security banner with title CVE-2024-14007 NVMS-9000 Authentication Bypass & Information Disclosure.

CVE-2024-14007 — NVMS-9000 Authentication Bypass & Information Disclosure.

Author:

Whilst there is no evidence that this type of attack allows access into the wider office network, this vulnerability has been identified and is known to affect certain versions of NVR/DVR core software running on specific Genie devices. It does not provide a pathway into PCs, servers, or other systems using the same internet connection, provided standard network configurations are in place. No indications of data loss or network compromise have resulted from this attack.

No indications of data loss or network compromise have been identified.

This vulnerability affects certain Linux based recording devices from various vendors. It is not thought to have been designed specifically to target recorders, however, unfortunately it can affect older Genie hardware that’s based on the N9000 platform running firmware versions between 1.2.6 – 1.3.3. (Versions 1.3.4 and newer released in 2019 onwards are not affected). The affected version of the Linux core has been used on other vendors products which have been more widely exploited, therefore, investigatory measures for checking other similarly placed products running Linux core software is strongly advised by Bioaccess Sales Limited.

It’s understood that it was primarily designed to allow unauthorised access to the wider network, and although it’s not believed to have achieved this via DVR/NVR hardware, it can cause a network to become overloaded and inoperable.

CVE-2024-14007 is not specific to Genie NVR/DVR devices and does not have any known direct connections to any Genie DVR/NVR products in public vulnerability databases.

Summary of CVE-2024-14007

Description: Older NVMS-9000 firmware (versions prior to 1.3.4) contain an authentication bypass in its control protocol. A crafted TCP payload to an exposed control port can cause the network to become overloaded with the main symptom being described as a sluggish and unusable network. Network services usually return to normal after the Lan cable is disconnected from the DVR/NVR and the router/switches are power cycled.

Severity: High (CVSS 8.7)

Impact: Unauthenticated attacker could potentially retrieve administrator usernames/passwords in cleartext, plus network/service configurations via query commands.

Mitigation: Disconnect the Lan connection, factory reset the device, and update the firmware to version 1.3.4 or later –

NOTE: Due to the architecture of older hardware platforms, a staged update will need to be carried out, however, there is an increased risk of catastrophic hardware failure when updating older products with newer firmware versions, therefore, this must be executed with precautions and contingency plans in place to avoid leaving the site without a fully functioning surveillance system.

Important Clarification

This CVE does not apply specifically to Genie DVR/NVR products or firmware (e.g., Genie CCTV recorders). It is a general vulnerability affecting hardware running the affected versions of the Linux Kernel on the device’s operating system.

For support in identifying affected hardware, or further information regarding this bulletin, contact us here: Cybersecurity – Genie Products