The Cybersecurity and Infrastructure Security Agency (CISA) has added two newly discovered vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following confirmed reports of active exploitation. These vulnerabilities, identified as CVE-2024-8957 and CVE-2024-8956, impact PTZOptics PT30X-SDI/NDI cameras and pose substantial security risks, particularly to federal agencies and enterprises.
These vulnerabilities are a significant concern due to the ease with which attackers can exploit them to gain unauthorized control, potentially leading to severe data breaches and system compromises. CISA has urged federal agencies and users to apply vendor-provided mitigations promptly or discontinue using the affected devices if mitigations are unavailable. The deadline for remediation actions is set for November 25, 2024.
CVE-2024-8957: OS Command Injection Vulnerability
Overview
CVE-2024-8957, an OS command injection vulnerability, exists in PTZOptics PT30X-SDI/NDI cameras running firmware versions earlier than 6.3.40. This flaw enables a remote, authenticated attacker to escalate privileges to root by injecting a crafted payload into the ntp_addr parameter of the /cgi-bin/param.cgi CGI script.
Technical Details
In affected PTZOptics cameras, the OS command injection vulnerability is caused by insufficient validation of the ntp_addr configuration value. During the ntp_client startup, an attacker’s payload may be executed as a system command, granting root access. This escalation of privileges allows the attacker to gain complete control over the device, and if combined with CVE-2024-8956, an unauthenticated attacker could remotely execute arbitrary OS commands on the device.
The vulnerability is identified under CWE-78 (OS Command Injection). Although it is not currently known to be associated with ransomware campaigns, the potential for misuse remains high. The combination of command injection and authentication bypass (CVE-2024-8956) increases the risk significantly, as it allows attackers to exploit the device with minimal authentication barriers.
Action Required
Users are advised to update their devices to the latest firmware version, 6.3.40, following the vendor’s mitigation steps. If updating is not feasible, discontinuing the use of the product is strongly recommended to prevent unauthorized access and potential data compromise.
- Date Added to CISA KEV Catalog: November 4, 2024
- Remediation Due Date: November 25, 2024
CVE-2024-8956: Authentication Bypass Vulnerability
Overview
The second vulnerability, CVE-2024-8956, is an authentication bypass issue that allows unauthorized access to sensitive camera functions. PTZOptics PT30X-SDI/NDI cameras running firmware versions before 6.3.40 are affected. By exploiting this vulnerability, attackers can bypass authentication controls on the /cgi-bin/param.cgi script, enabling them to access and manipulate device configurations without requiring credentials.
Technical Details
CVE-2024-8956 stems from an insecure direct object reference (IDOR) vulnerability. In this case, the camera does not enforce proper authentication protocols, specifically when requests are sent without an HTTP Authorization header. This flaw allows attackers to retrieve sensitive data, such as usernames, password hashes, and configuration details. Furthermore, attackers could modify individual configuration values or overwrite the entire file, effectively hijacking control of the device.
Listed under CWE-287 (Improper Authentication), this vulnerability poses a risk of remote access and tampering with device settings. Combined with CVE-2024-8957, it enables attackers to achieve full remote code execution on affected devices. The absence of adequate authentication opens the door to potential data leakage and unauthorized adjustments to camera settings, underscoring the need for immediate remediation.
Action Required
CISA recommends that users apply the latest firmware patch from PTZOptics, which addresses this issue. If this mitigation cannot be implemented, discontinuing the use of the vulnerable devices is advised. Taking prompt action is crucial to prevent unauthorized access and potential breaches in sensitive environments.
- Date Added to CISA KEV Catalog: November 4, 2024
- Remediation Due Date: November 25, 2024
Broader Implications and Security Recommendations
The recent addition of these vulnerabilities to CISA’s KEV Catalog highlights the escalating security challenges faced by devices within the Internet of Things (IoT) space, including surveillance cameras, networked sensors, and other connected devices. IoT devices, such as PTZOptics cameras, are increasingly becoming primary targets for cybercriminals due to their access to sensitive data and limited built-in security measures.
In cases like CVE-2024-8957 and CVE-2024-8956, attackers can potentially gain control over cameras, bypass authentication, exfiltrate data, or even alter device configurations remotely. These actions could have far-reaching consequences for enterprises, from unauthorized access to video feeds to potential data breaches. Given the high risk posed by command injection and authentication bypass vulnerabilities, organizations should implement the following best practices:
- Patch Management
- Regularly update firmware for IoT devices, particularly those with known security flaws. Ensure devices operate on the latest, most secure firmware versions to prevent vulnerabilities from being exploited.
- Network Segmentation
- Isolate IoT devices on separate networks from critical assets to limit exposure. This reduces the impact of a potential breach by containing it within a smaller, controlled environment.
- Monitoring and Logging
- Establish comprehensive monitoring and logging protocols for IoT devices. Continuous monitoring can help detect suspicious activities, while logging provides insights into abnormal behavior that might indicate an exploit attempt.
- Authentication Controls
- Enhance authentication requirements for accessing sensitive systems and ensure all configuration changes require verified credentials. Implement strong password policies and multifactor authentication wherever possible.
- Vendor Communication
- Maintain open communication with device vendors to stay informed of security updates and vulnerabilities. Many vendors provide timely alerts and recommended actions when new vulnerabilities are discovered.
CISA’s proactive approach in cataloging known exploited vulnerabilities and setting mandatory remediation timelines emphasizes the importance of safeguarding IoT devices against evolving cyber threats. As the use of IoT technology continues to grow, staying updated with the latest security advisories and practicing diligent network hygiene will be essential in minimizing exposure to cyber risks.