{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/896979#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nMultiple vulnerabilities exist in various Video Over IP (Internet Protocol) encoder devices, also known as IPTV/H.264/H.265 video encoders. These vulnerabilities allow an unauthenticated remote attacker to execute arbitrary code and perform other unauthorized actions on a vulnerable system.\r\n\r\n### Description\r\nIPTV/H.264/H.265 video encoder devices provide video streaming capability over IP networks. The underlying  software in these devices seem to share common components that have multiple weaknesses in their design and default configuration.\r\n\r\nThe vulnerabilities occur primarily in the network services such as web and telnet interfaces. These vulnerabilities stem from software bugs, such as  insufficient validation of user input and the use of insecure credentials through hard-coded passwords. [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/). The vulnerable components may also be present in other Internet of Things (IoT) devices.\r\n\r\nThese devices are manufactured using components acquired from a complex  supply chain and are often sold through common outlets such as retail stores and e-commerce websites.  This makes it difficult to  identify impacted devices and notify the appropriate stakeholders, thus illustrating the dire need for Software Bill of Materials [SBOM](https://ntia.gov/SBOM/) in this growing and complex digital market.\r\n\r\nFurther details of these vulnerabilities can be found in [this blog post](https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/) by Alexei Kojenov.\r\n\r\n### Impact\r\nThe impact of these vulnerabilities are summarized in the following list:\r\n\r\n1. Full administrative access via backdoor password (CVE-2020-24215)\r\n2. Administrative root access via backdoor password (CVE-2020-24218)\r\n3. Arbitrary file read via path traversal  (CVE-2020-24219)\r\n4. Unauthenticated file upload (CVE-2020-24217)\r\n5. Arbitrary code execution by uploading malicious firmware (CVE-2020-24217)\r\n6. Arbitrary code execution via command injection (CVE-2020-24217)\r\n7. Denial of service via buffer overflow (CVE-2020-24214)\r\n8. Unauthorized video stream access via RTSP (CVE-2020-24216)\r\n\r\n### Solution\r\n\r\n#### Apply Updates\r\nContact your vendor. See also the Vendor Information section below.\r\n\r\n#### Restrict network access\r\nRestrict network access of these devices to a well protect local area network (LAN) or through a firewall. Allowing direct Internet access to these devices increases the risk of compromise and potential abuse from an unauthorized remote attacker.\r\n\r\n### Acknowledgements\r\nAlexei Kojenov  [https://kojenov.com/](https://kojenov.com/) researched and reported these vulnerabilities.\r\n\r\nThis document was written by Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"We have confirmed that we are not affected by this vulnerability and the Security Notice has been released.","title":"Vendor statment from HiSilicon"},{"category":"other","text":"Oupree's statement was provided by New Orange in support of the downstream vendor.","title":"CERT/CC comment on New Orange notes"},{"category":"other","text":"Firmware V3.02 fixes this issue.  Please obtain update from https://jtechdigital.com/product/h264-ip-encoder-live-streaming/","title":"CERT/CC comment on J-Tech Digital notes"},{"category":"other","text":"Last patch is available for customers upon request for the latest software.","title":"Vendor statment from Provideo Instruments Inc."},{"category":"other","text":"According to Alexei's testing, ProVideo devices were not found vulnerable to CVE-2020-24218 and CV-2020-2419.","title":"CERT/CC comment on Provideo Instruments Inc. notes"},{"category":"other","text":"Please see the security advisory in Oupree's website that was provided by New Orange","title":"CERT/CC comment on Oupree notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/896979"},{"url":"https://study.com/academy/lesson/video-over-ip-definition-characteristics.html","summary":"https://study.com/academy/lesson/video-over-ip-definition-characteristics.html"},{"url":"https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project","summary":"https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project"},{"url":"https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/","summary":"https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/"},{"url":"https://www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200205-01-hisilicon-en","summary":"https://www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200205-01-hisilicon-en"},{"url":"https://www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200917-01-hisilicon-en","summary":"Reference(s) from vendor \"HiSilicon\""},{"url":"https://www.huawei.com/cn/psirt/security-notices/2020/huawei-sn-20200917-01-hisilicon-cn","summary":"Reference(s) from vendor \"HiSilicon\""},{"url":"https://www.oupree.com/News/Security-Advisory-Vulnerability-of-Video-Encoder.html","summary":"Reference(s) from vendor \"New Orange\""},{"url":"https://www.oupree.com/News/Security-Advisory-Vulnerability-of-Video-Encoder.html","summary":"Reference(s) from vendor \"Oupree\""}],"title":"IPTV encoder devices contain multiple vulnerabilities","tracking":{"current_release_date":"2022-02-11T16:25:32+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#896979","initial_release_date":"2020-09-15 17:56:06.498890+00:00","revision_history":[{"date":"2022-02-11T16:25:32+00:00","number":"1.20220211162532.9","summary":"Released on 2022-02-11T16:25:32+00:00"}],"status":"final","version":"1.20220211162532.9"}},"vulnerabilities":[{"title":"Denial of service via buffer overflow.","notes":[{"category":"summary","text":"Denial of service via buffer overflow. RTSP server does not check the length of CSeq and Session RTSP request parameters \r\nsupplied by a remote user, which can result in a stack-based buffer overflow."}],"cve":"CVE-2020-24214","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#896979"}],"product_status":{"known_affected":["CSAFPID-190c4b06-39ee-11f1-8422-122e2785dc9f","CSAFPID-190c8378-39ee-11f1-8422-122e2785dc9f","CSAFPID-190d1180-39ee-11f1-8422-122e2785dc9f","CSAFPID-190d7cec-39ee-11f1-8422-122e2785dc9f","CSAFPID-190db126-39ee-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-190cdc1a-39ee-11f1-8422-122e2785dc9f"]}},{"title":"Administrative shell root access via static backdoor username and password.","notes":[{"category":"summary","text":"Administrative shell root access via static backdoor username and password"}],"cve":"CVE-2020-24218","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#896979"}],"product_status":{"known_affected":["CSAFPID-190e273c-39ee-11f1-8422-122e2785dc9f","CSAFPID-190e5db0-39ee-11f1-8422-122e2785dc9f","CSAFPID-190f319a-39ee-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-190eac98-39ee-11f1-8422-122e2785dc9f","CSAFPID-190ee8ca-39ee-11f1-8422-122e2785dc9f","CSAFPID-190f7704-39ee-11f1-8422-122e2785dc9f"]}},{"title":"Full admin interface access via static backdoor username and password.","notes":[{"category":"summary","text":"Full admin interface access via static backdoor username and password"}],"cve":"CVE-2020-24215","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#896979"}],"product_status":{"known_affected":["CSAFPID-19100372-39ee-11f1-8422-122e2785dc9f","CSAFPID-19104eea-39ee-11f1-8422-122e2785dc9f","CSAFPID-1910e06c-39ee-11f1-8422-122e2785dc9f","CSAFPID-1911173a-39ee-11f1-8422-122e2785dc9f","CSAFPID-19116064-39ee-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-19109698-39ee-11f1-8422-122e2785dc9f"]}},{"title":"Unauthorized video stream access via RTSP.","notes":[{"category":"summary","text":"Unauthorized video stream access via RTSP. \r\n Regardless of URL settings to obfuscate RTSP \r\nstreaming access, the video stream is by default available via \"rtsp://encoder/$param\""}],"cve":"CVE-2020-24216","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#896979"}],"product_status":{"known_affected":["CSAFPID-1911eaf2-39ee-11f1-8422-122e2785dc9f","CSAFPID-19123548-39ee-11f1-8422-122e2785dc9f","CSAFPID-1912b428-39ee-11f1-8422-122e2785dc9f","CSAFPID-1912f0a0-39ee-11f1-8422-122e2785dc9f","CSAFPID-19132994-39ee-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-19126e5a-39ee-11f1-8422-122e2785dc9f"]}},{"title":"Arbitrary code execution via command injection.","notes":[{"category":"summary","text":"Arbitrary code execution via command injection.   Due to lack of input variables check, an unauthenticated user can inject arbitrary commands on the target device."}],"cve":"CVE-2020-24217","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#896979"}],"product_status":{"known_affected":["CSAFPID-19139cda-39ee-11f1-8422-122e2785dc9f","CSAFPID-1913c818-39ee-11f1-8422-122e2785dc9f","CSAFPID-19144c7a-39ee-11f1-8422-122e2785dc9f","CSAFPID-191476dc-39ee-11f1-8422-122e2785dc9f","CSAFPID-1914c966-39ee-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-191405ee-39ee-11f1-8422-122e2785dc9f"]}},{"title":"Arbitrary file read via path traversal.","notes":[{"category":"summary","text":"Arbitrary file read via path traversal. Web server provides access to arbitrary file in the using path traversal from \r\ndirectory"}],"cve":"CVE-2020-24219","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#896979"}],"product_status":{"known_affected":["CSAFPID-191537a2-39ee-11f1-8422-122e2785dc9f","CSAFPID-19156768-39ee-11f1-8422-122e2785dc9f","CSAFPID-1915fafc-39ee-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-191597b0-39ee-11f1-8422-122e2785dc9f","CSAFPID-1915c28a-39ee-11f1-8422-122e2785dc9f","CSAFPID-1916356c-39ee-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Oupree","product":{"name":"Oupree Products","product_id":"CSAFPID-190c4b06-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"New Orange","product":{"name":"New Orange Products","product_id":"CSAFPID-190c8378-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HiSilicon","product":{"name":"HiSilicon Products","product_id":"CSAFPID-190cdc1a-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"J-Tech Digital","product":{"name":"J-Tech Digital Products","product_id":"CSAFPID-190d1180-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"URayTech","product":{"name":"URayTech Products","product_id":"CSAFPID-190d7cec-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Provideo Instruments Inc.","product":{"name":"Provideo Instruments Inc. Products","product_id":"CSAFPID-190db126-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Oupree","product":{"name":"Oupree Products","product_id":"CSAFPID-190e273c-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"New Orange","product":{"name":"New Orange Products","product_id":"CSAFPID-190e5db0-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HiSilicon","product":{"name":"HiSilicon Products","product_id":"CSAFPID-190eac98-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"J-Tech Digital","product":{"name":"J-Tech Digital Products","product_id":"CSAFPID-190ee8ca-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"URayTech","product":{"name":"URayTech Products","product_id":"CSAFPID-190f319a-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Provideo Instruments Inc.","product":{"name":"Provideo Instruments Inc. Products","product_id":"CSAFPID-190f7704-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Oupree","product":{"name":"Oupree Products","product_id":"CSAFPID-19100372-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"New Orange","product":{"name":"New Orange Products","product_id":"CSAFPID-19104eea-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HiSilicon","product":{"name":"HiSilicon Products","product_id":"CSAFPID-19109698-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"J-Tech Digital","product":{"name":"J-Tech Digital Products","product_id":"CSAFPID-1910e06c-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"URayTech","product":{"name":"URayTech Products","product_id":"CSAFPID-1911173a-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Provideo Instruments Inc.","product":{"name":"Provideo Instruments Inc. Products","product_id":"CSAFPID-19116064-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Oupree","product":{"name":"Oupree Products","product_id":"CSAFPID-1911eaf2-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"New Orange","product":{"name":"New Orange Products","product_id":"CSAFPID-19123548-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HiSilicon","product":{"name":"HiSilicon Products","product_id":"CSAFPID-19126e5a-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"J-Tech Digital","product":{"name":"J-Tech Digital Products","product_id":"CSAFPID-1912b428-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"URayTech","product":{"name":"URayTech Products","product_id":"CSAFPID-1912f0a0-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Provideo Instruments Inc.","product":{"name":"Provideo Instruments Inc. Products","product_id":"CSAFPID-19132994-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Oupree","product":{"name":"Oupree Products","product_id":"CSAFPID-19139cda-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"New Orange","product":{"name":"New Orange Products","product_id":"CSAFPID-1913c818-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HiSilicon","product":{"name":"HiSilicon Products","product_id":"CSAFPID-191405ee-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"J-Tech Digital","product":{"name":"J-Tech Digital Products","product_id":"CSAFPID-19144c7a-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"URayTech","product":{"name":"URayTech Products","product_id":"CSAFPID-191476dc-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Provideo Instruments Inc.","product":{"name":"Provideo Instruments Inc. Products","product_id":"CSAFPID-1914c966-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Oupree","product":{"name":"Oupree Products","product_id":"CSAFPID-191537a2-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"New Orange","product":{"name":"New Orange Products","product_id":"CSAFPID-19156768-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HiSilicon","product":{"name":"HiSilicon Products","product_id":"CSAFPID-191597b0-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"J-Tech Digital","product":{"name":"J-Tech Digital Products","product_id":"CSAFPID-1915c28a-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"URayTech","product":{"name":"URayTech Products","product_id":"CSAFPID-1915fafc-39ee-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Provideo Instruments Inc.","product":{"name":"Provideo Instruments Inc. Products","product_id":"CSAFPID-1916356c-39ee-11f1-8422-122e2785dc9f"}}]}}