Exploit
CVE-2024-8957

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Sep 17, 2024 / Updated: 2mo ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

PTZOptics PT30X-SDI/NDI-xx devices with firmware versions prior to 6.3.40 are vulnerable to an OS command injection issue. The vulnerability stems from insufficient validation of the ntp_addr configuration value, which can lead to arbitrary command execution when ntp_client is started. When combined with another vulnerability (CVE-2024-8956), this issue allows a remote and unauthenticated attacker to execute arbitrary OS commands on affected devices.

Impact

This vulnerability has a critical impact, with a CVSS v3.1 base score of 9.8. It allows for arbitrary OS command execution on affected devices. When chained with CVE-2024-8956, it enables a remote and unauthenticated attacker to execute arbitrary OS commands, potentially leading to complete system compromise. The impact is severe, affecting the confidentiality, integrity, and availability of the system. Attackers could potentially gain full control over the affected cameras, manipulate their functionality, access sensitive data, or use the compromised devices as a stepping stone for further network intrusion.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including securityaffairs.com.

Patch

A patch is available. The vulnerability is fixed in firmware version 6.3.40 and later for PTZOptics PT30X-SDI/NDI-xx devices. It is crucial to update all affected devices to this version or later immediately.

Mitigation

1. Immediately update the firmware of all PTZOptics PT30X-SDI/NDI-xx devices to version 6.3.40 or later. 2. If immediate patching is not possible, consider isolating affected devices from the network or restricting network access to trusted sources only. 3. Monitor for any suspicious activities or unauthorized commands executed on these devices. 4. Regularly review and validate NTP configuration settings on the devices. 5. Implement network segmentation to limit the potential impact if a device is compromised. 6. Apply the principle of least privilege for all accounts and services interacting with these devices.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8957. See article

Sep 17, 2024 at 9:12 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 17, 2024 at 9:12 PM
CVE Assignment

NVD published the first details for CVE-2024-8957

Sep 17, 2024 at 9:15 PM
CVSS

A CVSS base score of 7.2 has been assigned.

Sep 17, 2024 at 9:21 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.3%)

Sep 18, 2024 at 9:32 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 1, 2024 at 5:50 PM / nvd
Exploitation in the Wild

Attacks in the wild have been reported by Security Affairs. See article

Nov 2, 2024 at 7:22 AM / Security Affairs
Threat Intelligence Report

CVE-2024-8957 is a critical vulnerability that allows for remote code execution (RCE) and is associated with the exploitation of 0-day vulnerabilities, potentially facilitated by large language models (LLMs). The details regarding its CVSS score, exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors are not provided in the given information. Further investigation is necessary to assess the full scope and implications of this vulnerability. See article

Nov 2, 2024 at 12:10 PM
Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Nov 4, 2024 at 12:00 AM / inthewild.io
Static CVE Timeline Graph

Affected Systems

Ptzoptics/pt30x-ndi-xx-g2_firmware
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

PTZOptics, Two Security Flaws Exploited on PT30X-SDI/NDI Cameras. - Nicolas Coolman
On November 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert regarding two critical vulnerabilities affecting PTZOptics PT30X-SDI/NDI cameras. Details : This vulnerability allows an authenticated, remote attacker to inject a malicious command via the parameter from the script, giving it root privileges.
Critical Flaw Found In PTZOptics Cameras
By exploiting this vulnerability, attackers can bypass authentication controls on the /cgi-bin/param.cgi script, enabling them to access and manipulate device configurations without requiring credentials. CVE-2024-8957, an OS command injection vulnerability, exists in PTZOptics PT30X-SDI/NDI cameras running firmware versions earlier than 6.3.40.
CISA Flags Critical Security Flaws in PTZOptics Cameras, Urges Swift Action by Federal Agencies
By exploiting this vulnerability, attackers can bypass authentication controls on the /cgi-bin/param.cgi script, enabling them to access and manipulate device configurations without requiring credentials. Overview CVE-2024-8957, an OS command injection vulnerability, exists in PTZOptics PT30X-SDI/NDI cameras running firmware versions earlier than 6.3.40.
See 2 more references

News

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
Greynoise, AI, Zero-Days: AI's Rapid Advancement in the Field of IDR
GreyNoise Intelligence has recently identified two critical zero-day vulnerabilities in IoT-connected live-streaming cameras, highlighting the need for enhanced cybersecurity measures and proactive detection capabilities in widely deployed devices. GreyNoise’s application of AI in incident detection and response (IDR) offers a strong case for using machine learning in managing and mitigating cybersecurity threats, especially in high-stakes settings that involve real-time data and sensitive environments.
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .
See 85 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI