IPTV encoder devices contain multiple vulnerabilities

DESCRIPTION
Multiple vulnerabilities exist in various Video Over IP (Internet Protocol) encoder devices, also known as IPTV/H.264/H.265 video encoders. These vulnerabilities allow an unauthenticated remote attacker to execute arbitrary code and perform other unauthorized actions on a vulnerable system.

IMPACT

    • Full administrative access via backdoor password (CVE-2020-24215)
    • Administrative root access via backdoor password (CVE-2020-24218)
    • Arbitrary file read via path traversal (CVE-2020-24219)
    • Unauthenticated file upload (CVE-2020-24217)
    • Arbitrary code execution by uploading malicious firmware (CVE-2020-24217)
    • Arbitrary code execution via command injection (CVE-2020-24217)
    • Denial of service via buffer overflow (CVE-2020-24214)
    • Unauthorized video stream access via RTSP (CVE-2020-24216)

SYSTEM AFFECTED
    • J-Tech Digital
    • Provideo Instruments Inc.
    • URayTech

REFERENCES
https://kb.cert.org/vuls/id/896979
https://study.com/academy/lesson/video-over-ip-definition-characteristics.html
https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project
https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
https://www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200917-01-hisilicon-en
https://www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200205-01-hisilicon-en

Share