GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Net Mask field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v6 = strlen(g_network_config->net_mask); memcpy(&reply_buf[184], g_network_config->net_mask, v6);
The DVRSearch service accepts UDP messages without authentication from any host on the network. When processing the received message, the server copies the value of the 'Net Mask' field from the global network configuration structure to a local buffer on the stack using memcpy, with the size of the copied data determined by strlen() without verifying whether it fits in the destination buffer. An attacker who can influence the contents of the net_mask field (e.g., by sending a crafted UDP message beforehand) can cause a stack buffer overflow and overwrite control data, such as the function return address.
An unauthenticated network attacker can gain full control of the device through remote code execution (RCE) with the privileges of the DVRSearch process, which may lead to compromise of confidentiality, integrity, and availability of the system.
Apply patches available from the manufacturer according to the references (https://www.geovision.com.tw/cyber_security.php). Until updated, it is recommended to isolate the device on the network (firewall, VLAN segmentation) and block unauthorized access to UDP port 10001 from untrusted network segments.
GeoVision GV-I/O Box 4E device — versions indicated in the manufacturer's references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H