7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.277 Low
EPSS
Percentile
96.8%
Multiple vulnerabilities exist in various Video Over IP (Internet Protocol) encoder devices, also known as IPTV/H.264/H.265 video encoders. These vulnerabilities allow an unauthenticated remote attacker to execute arbitrary code and perform other unauthorized actions on a vulnerable system.
IPTV/H.264/H.265 video encoder devices provide video streaming capability over IP networks. The underlying software in these devices seem to share common components that have multiple weaknesses in their design and default configuration.
The vulnerabilities occur primarily in the network services such as web and telnet interfaces. These vulnerabilities stem from software bugs, such as insufficient validation of user input and the use of insecure credentials through hard-coded passwords. <https://owasp.org/www-project-top-ten/>. The vulnerable components may also be present in other Internet of Things (IoT) devices.
These devices are manufactured using components acquired from a complex supply chain and are often sold through common outlets such as retail stores and e-commerce websites. This makes it difficult to identify impacted devices and notify the appropriate stakeholders, thus illustrating the dire need for Software Bill of Materials SBOM in this growing and complex digital market.
Further details of these vulnerabilities can be found in this blog post by Alexei Kojenov.
The impact of these vulnerabilities are summarized in the following list:
Contact your vendor. See also the Vendor Information section below.
Restrict network access of these devices to a well protect local area network (LAN) or through a firewall. Allowing direct Internet access to these devices increases the risk of compromise and potential abuse from an unauthorized remote attacker.
Alexei Kojenov <https://kojenov.com/> researched and reported these vulnerabilities.
This document was written by Vijay Sarvepalli.
896979
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2020-08-20 Updated: 2022-02-11
Statement Date: February 11, 2022
CVE-2020-24214 | Affected |
---|---|
CVE-2020-24215 | Affected CVE-2020-24216 |
We have not received a statement from the vendor.
Firmware V3.02 fixes this issue. Please obtain update from https://jtechdigital.com/product/h264-ip-encoder-live-streaming/
Notified: 2020-09-18 Updated: 2020-09-28
Statement Date: September 25, 2020
CVE-2020-24214 | Affected |
---|---|
CVE-2020-24215 | Affected CVE-2020-24216 |
We have not received a statement from the vendor.
Oupree’s statement was provided by New Orange in support of the downstream vendor.
Updated: 2020-09-28
Statement Date: September 25, 2020
CVE-2020-24214 | Affected |
---|---|
CVE-2020-24215 | Affected CVE-2020-24216 |
We have not received a statement from the vendor.
Please see the security advisory in Oupree’s website that was provided by New Orange
Updated: 2020-09-18
Statement Date: September 08, 2020
CVE-2020-24214 | Affected |
---|---|
CVE-2020-24215 | Affected CVE-2020-24216 |
Last patch is available for customers upon request for the latest software.
According to Alexei’s testing, ProVideo devices were not found vulnerable to CVE-2020-24218 and CV-2020-2419.
Updated: 2020-09-15 CVE-2020-24214 | Affected |
---|---|
CVE-2020-24215 | Affected CVE-2020-24216 |
We have not received a statement from the vendor.
Notified: 2020-09-14 Updated: 2020-09-17
Statement Date: September 16, 2020
CVE-2020-24214 | Not Affected |
---|---|
CVE-2020-24215 | Not Affected CVE-2020-24216 |
We have confirmed that we are not affected by this vulnerability and the Security Notice has been released.
Updated: 2020-09-15 CVE-2020-24214 | Unknown |
---|---|
CVE-2020-24215 | Unknown CVE-2020-24216 |
We have not received a statement from the vendor.
Updated: 2020-09-15 CVE-2020-24214 | Unknown |
---|---|
CVE-2020-24215 | Unknown CVE-2020-24216 |
We have not received a statement from the vendor.
Updated: 2020-09-15 CVE-2020-24214 | Unknown |
---|---|
CVE-2020-24215 | Unknown CVE-2020-24216 |
We have not received a statement from the vendor.
Updated: 2020-09-15 CVE-2020-24214 | Unknown |
---|---|
CVE-2020-24215 | Unknown CVE-2020-24216 |
We have not received a statement from the vendor.
Updated: 2020-09-15 CVE-2020-24214 | Unknown |
---|---|
CVE-2020-24215 | Unknown CVE-2020-24216 |
We have not received a statement from the vendor.
Updated: 2020-09-15 CVE-2020-24214 | Unknown |
---|---|
CVE-2020-24215 | Unknown CVE-2020-24216 |
We have not received a statement from the vendor.
Updated: 2020-09-15 CVE-2020-24214 | Unknown |
---|---|
CVE-2020-24215 | Unknown CVE-2020-24216 |
We have not received a statement from the vendor.
View all 13 vendors __View less vendors __
CVE IDs: | CVE-2020-24214 CVE-2020-24215 CVE-2020-24216 CVE-2020-24217 CVE-2020-24218 CVE-2020-24219 |
---|---|
Date Public: | 2020-09-15 Date First Published: |
kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
study.com/academy/lesson/video-over-ip-definition-characteristics.html
wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project
www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200205-01-hisilicon-en
www.huawei.com/en/psirt/security-notices/2020/huawei-sn-20200917-01-hisilicon-en
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.277 Low
EPSS
Percentile
96.8%