Exploit
CVE-2024-8956

Improper Authentication (CWE-287)

Published: Sep 17, 2024 / Updated: 2mo ago

010
CVSS 9.1EPSS 0.04%Critical
CVE info copied to clipboard

Summary

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. This results in a remote and unauthenticated attacker being able to leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

Impact

The impact of this vulnerability is severe. An unauthenticated attacker can remotely access sensitive information including usernames, password hashes, and configuration details of the affected PTZOptics cameras. This breach of confidentiality could lead to unauthorized access to the camera system. Furthermore, the attacker's ability to update configuration values or overwrite the entire configuration file poses a significant risk to the integrity of the camera's settings and operations. This could potentially lead to unauthorized control of the camera, disruption of its intended functionality, or use of the compromised device as a pivot point for further network attacks.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including securityaffairs.com.

Patch

A patch is available. The vulnerability is fixed in firmware version 6.3.40 and later for PTZOptics PT30X-SDI/NDI-xx cameras.

Mitigation

1. Immediately update PTZOptics PT30X-SDI/NDI-xx cameras to firmware version 6.3.40 or later. 2. If immediate patching is not possible, implement network segmentation to isolate vulnerable cameras from the broader network. 3. Use a firewall to restrict access to the /cgi-bin/param.cgi endpoint, only allowing trusted IP addresses. 4. Monitor for any suspicious activities or unauthorized access attempts to the cameras. 5. After patching, conduct a thorough review of camera configurations and change all passwords as a precaution. 6. Implement regular vulnerability scanning and patching processes for all network-connected devices, including cameras.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-8956

Sep 17, 2024 at 8:15 PM
CVSS

A CVSS base score of 9.1 has been assigned.

Sep 17, 2024 at 8:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-8956. See article

Sep 17, 2024 at 8:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 17, 2024 at 8:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 18, 2024 at 9:32 AM
Threat Intelligence Report

CVE-2024-8956 is a critical vulnerability in the PTZOptics PT30X-SDI/NDI-xx camera, with a CVSS score of 9.9, that allows remote attackers to exploit insufficient authentication to leak sensitive data and manipulate configuration settings. The vulnerability is present in firmware versions prior to 6.3.40, but the provided sentences do not specify if it is being actively exploited in the wild, nor do they mention any proof-of-concept exploits, mitigations, detections, or patches available. There is also no information regarding potential downstream impacts on other third-party vendors or technologies. See article

Sep 27, 2024 at 5:36 AM
Exploitation in the Wild

Attacks in the wild have been reported by Security Affairs. See article

Nov 2, 2024 at 7:22 AM / Security Affairs
Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Nov 4, 2024 at 12:00 AM / inthewild.io
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Nov 4, 2024 at 3:30 PM / CISA Known Exploited Vulnerability
Static CVE Timeline Graph

Affected Systems

Ptzoptics/pt30x-ndi-xx-g2_firmware
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Links to Mitre Att&cks

T1548: Abuse Elevation Control Mechanism
+null more

Attack Patterns

CAPEC-114: Authentication Abuse
+null more

References

PTZOptics, Two Security Flaws Exploited on PT30X-SDI/NDI Cameras. - Nicolas Coolman
On November 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert regarding two critical vulnerabilities affecting PTZOptics PT30X-SDI/NDI cameras. Details : This vulnerability allows an authenticated, remote attacker to inject a malicious command via the parameter from the script, giving it root privileges.
Critical Flaw Found In PTZOptics Cameras
By exploiting this vulnerability, attackers can bypass authentication controls on the /cgi-bin/param.cgi script, enabling them to access and manipulate device configurations without requiring credentials. CVE-2024-8957, an OS command injection vulnerability, exists in PTZOptics PT30X-SDI/NDI cameras running firmware versions earlier than 6.3.40.
CISA Flags Critical Security Flaws in PTZOptics Cameras, Urges Swift Action by Federal Agencies
By exploiting this vulnerability, attackers can bypass authentication controls on the /cgi-bin/param.cgi script, enabling them to access and manipulate device configurations without requiring credentials. Overview CVE-2024-8957, an OS command injection vulnerability, exists in PTZOptics PT30X-SDI/NDI cameras running firmware versions earlier than 6.3.40.
See 3 more references

News

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
Greynoise, AI, Zero-Days: AI's Rapid Advancement in the Field of IDR
GreyNoise Intelligence has recently identified two critical zero-day vulnerabilities in IoT-connected live-streaming cameras, highlighting the need for enhanced cybersecurity measures and proactive detection capabilities in widely deployed devices. GreyNoise’s application of AI in incident detection and response (IDR) offers a strong case for using machine learning in managing and mitigating cybersecurity threats, especially in high-stakes settings that involve real-time data and sensitive environments.
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
See 101 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI