Schneider Electric Pelco DS-NVs Buffer Overflow Vulnerability
Low RiskICS-CERT ICSA-15-071-01Dec 13, 2015
Summary
Schneider Electric Pelco DS-NVs network video recorders contain a stack-based buffer overflow vulnerability (CWE-121) in firmware version 7.6.32 and earlier. The vulnerability could allow an attacker with network access to cause a denial of service or potentially execute arbitrary code on the surveillance system. No vendor patch is available for this product.
What this means
What could happen
A buffer overflow in the Pelco DS-NVs video surveillance system could allow an attacker to crash the device or execute arbitrary code, potentially disrupting security monitoring and situational awareness in critical energy infrastructure.
Who's at risk
Energy sector operators using Pelco DS-NVs network video recorders for physical security and surveillance of substations, generation facilities, or control centers should be aware of this vulnerability. Affected equipment includes all DS-NVs models running firmware version 7.6.32 or earlier.
How it could be exploited
An attacker with network access to the Pelco DS-NVs device could send a specially crafted input to trigger a stack-based buffer overflow, potentially gaining code execution on the surveillance system.
Prerequisites
- Network access to the Pelco DS-NVs device
- Ability to send crafted input to vulnerable service or interface
Remotely exploitableNo patch availableAffects security monitoring systemsBuffer overflow vulnerability
Exploitability
Moderate exploit probability (EPSS 5.0%)
Affected products (1)
ProductAffected VersionsFix Status
Pelco DS-NVs: <=7.6.32≤ 7.6.32No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to the Pelco DS-NVs device using firewall rules and ACLs
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor for signs of exploitation and unusual network traffic to the device
Mitigations - no patch available
0/2Pelco DS-NVs: <=7.6.32 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict access to Pelco DS-NVs devices to authorized personnel only
HARDENINGEvaluate replacement or decommissioning of unsupported Pelco DS-NVs systems running version 7.6.32 or earlier
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a35b03fa-f0b8-4f39-99e8-718b8889bf4f