IPTV encoder devices contain multiple vulnerabilities

Overview

Multiple vulnerabilities exist in various Video Over IP (Internet Protocol) encoder devices, also known as IPTV/H.264/H.265 video encoders. These vulnerabilities allow an unauthenticated remote attacker to execute arbitrary code and perform other unauthorized actions on a vulnerable system.

Description

IPTV/H.264/H.265 video encoder devices provide video streaming capability over IP networks. The underlying software in these devices seem to share common components that have multiple weaknesses in their design and default configuration.

The vulnerabilities occur primarily in the network services such as web and telnet interfaces. These vulnerabilities stem from software bugs, such as insufficient validation of user input and the use of insecure credentials through hard-coded passwords. <https://owasp.org/www-project-top-ten/&gt;. The vulnerable components may also be present in other Internet of Things (IoT) devices.

These devices are manufactured using components acquired from a complex supply chain and are often sold through common outlets such as retail stores and e-commerce websites. This makes it difficult to identify impacted devices and notify the appropriate stakeholders, thus illustrating the dire need for Software Bill of Materials SBOM in this growing and complex digital market.

Further details of these vulnerabilities can be found in this blog post by Alexei Kojenov.

Impact

The impact of these vulnerabilities are summarized in the following list:

1. Full administrative access via backdoor password (CVE-2020-24215)
2. Administrative root access via backdoor password (CVE-2020-24218)
3. Arbitrary file read via path traversal (CVE-2020-24219)
4. Unauthenticated file upload (CVE-2020-24217)
5. Arbitrary code execution by uploading malicious firmware (CVE-2020-24217)
6. Arbitrary code execution via command injection (CVE-2020-24217)
7. Denial of service via buffer overflow (CVE-2020-24214)
8. Unauthorized video stream access via RTSP (CVE-2020-24216)

Solution

Apply Updates

Contact your vendor. See also the Vendor Information section below.

Restrict network access

Restrict network access of these devices to a well protect local area network (LAN) or through a firewall. Allowing direct Internet access to these devices increases the risk of compromise and potential abuse from an unauthorized remote attacker.

Acknowledgements

Alexei Kojenov <https://kojenov.com/&gt; researched and reported these vulnerabilities.

This document was written by Vijay Sarvepalli.

Vendor Information

896979

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

J-Tech Digital __ Affected

Notified: 2020-08-20 Updated: 2022-02-11

Statement Date: February 11, 2022

CVE-2020-24214	Affected
CVE-2020-24215	Affected CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

Firmware V3.02 fixes this issue. Please obtain update from https://jtechdigital.com/product/h264-ip-encoder-live-streaming/

New Orange __ Affected

Notified: 2020-09-18 Updated: 2020-09-28

Statement Date: September 25, 2020

CVE-2020-24214	Affected
CVE-2020-24215	Affected CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

References

• <https://www.oupree.com/News/Security-Advisory-Vulnerability-of-Video-Encoder.html&gt;

CERT Addendum

Oupree’s statement was provided by New Orange in support of the downstream vendor.

Oupree __ Affected

Updated: 2020-09-28

Statement Date: September 25, 2020

CVE-2020-24214	Affected
CVE-2020-24215	Affected CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

References

• <https://www.oupree.com/News/Security-Advisory-Vulnerability-of-Video-Encoder.html&gt;

CERT Addendum

Please see the security advisory in Oupree’s website that was provided by New Orange

Provideo Instruments Inc. __ Affected

Updated: 2020-09-18

Statement Date: September 08, 2020

CVE-2020-24214	Affected
CVE-2020-24215	Affected CVE-2020-24216

Vendor Statement

Last patch is available for customers upon request for the latest software.

CERT Addendum

According to Alexei’s testing, ProVideo devices were not found vulnerable to CVE-2020-24218 and CV-2020-2419.

URayTech Affected

Updated: 2020-09-15 CVE-2020-24214	Affected
CVE-2020-24215	Affected CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

HiSilicon __ Not Affected

Notified: 2020-09-14 Updated: 2020-09-17

Statement Date: September 16, 2020

CVE-2020-24214	Not Affected
CVE-2020-24215	Not Affected CVE-2020-24216

Vendor Statement

We have confirmed that we are not affected by this vulnerability and the Security Notice has been released.

References

• <https://www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200917-01-hisilicon-en&gt;
• <https://www.huawei.com/cn/psirt/security-notices/2020/huawei-sn-20200917-01-hisilicon-cn&gt;

Blankom Unknown

Updated: 2020-09-15 CVE-2020-24214	Unknown
CVE-2020-24215	Unknown CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

Digicast Unknown

Updated: 2020-09-15 CVE-2020-24214	Unknown
CVE-2020-24215	Unknown CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

ISEEVY Unknown

Updated: 2020-09-15 CVE-2020-24214	Unknown
CVE-2020-24215	Unknown CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

MINE Technology Unknown

Updated: 2020-09-15 CVE-2020-24214	Unknown
CVE-2020-24215	Unknown CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

Network Technologies Inc. Unknown

Updated: 2020-09-15 CVE-2020-24214	Unknown
CVE-2020-24215	Unknown CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

Orivision Unknown

Updated: 2020-09-15 CVE-2020-24214	Unknown
CVE-2020-24215	Unknown CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

WorldKast Unknown

Updated: 2020-09-15 CVE-2020-24214	Unknown
CVE-2020-24215	Unknown CVE-2020-24216

Vendor Statement

We have not received a statement from the vendor.

View all 13 vendors __View less vendors __

References

• <https://study.com/academy/lesson/video-over-ip-definition-characteristics.html&gt;
• <https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project&gt;
• <https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/&gt;
• <https://www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200917-01-hisilicon-en&gt;
• <https://www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200205-01-hisilicon-en&gt;

Other Information

CVE IDs:	CVE-2020-24214 CVE-2020-24215 CVE-2020-24216 CVE-2020-24217 CVE-2020-24218 CVE-2020-24219
Date Public:	2020-09-15 Date First Published: