Hackers target critical zero-day vulnerability in PTZ cameras

by

Hackers target critical zero-day vulnerability in PTZ cameras

October 31, 2024 at 02:26PM

Hackers are exploiting two zero-day vulnerabilities (CVE-2024-8956, CVE-2024-8957) in PTZOptics cameras, allowing unauthorized access and potential remote code execution. GreyNoise discovered these flaws, affecting various models, and reported them for responsible disclosure. PTZOptics released an update, but some devices remain unpatched, posing security risks. Users are advised to check with vendors.

### Meeting Takeaways

**Overview of Vulnerabilities:**
– Two zero-day vulnerabilities identified in PTZOptics PTZ live streaming cameras: **CVE-2024-8956** and **CVE-2024-8957**.
– These vulnerabilities affect devices used in various sectors, including industrial, healthcare, government, and business environments.

**Discovery:**
– GreyNoise discovered the vulnerabilities in April 2024 through unusual activity detection by its AI tool, Sift.
– Both vulnerabilities target the camera’s CGI-based API and the embedded ‘ntp_client’.

**Details of Vulnerabilities:**
1. **CVE-2024-8956:**
– Weak authentication in the ‘lighthttpd’ web server.
– Allows unauthorized access to CGI API, exposing sensitive data (usernames, MD5 password hashes, network configurations).

2. **CVE-2024-8957:**
– Insufficient input sanitization in the ‘ntp. addr’ field.
– Allows command injection for remote code execution via specially crafted payloads.

**Potential Impact:**
– Exploitation can lead to complete camera takeover, bot infections, lateral movement to connected devices, or video feed disruptions.

**Exploitation Timeline:**
– Initial activity diminished post-discovery, but a separate attempt in June using wget for reverse shell access was noted.

**Disclosure and Mitigation:**
– GreyNoise collaborated with VulnCheck for responsible disclosure to affected vendors.
– Impacted devices include various NDI-enabled PTZ cameras using Hisilicon Hi3516A SoC and running outdated VHD PTZ camera firmware (versions < 6.3.40). - PTZOptics issued a security update on September 17; however, some models, including PT20X-NDI-G2 and PT12X-NDI-G2, did not receive updates due to end-of-life status. **Extended Impact:** - Newer models PT20X-SE-NDI-G3 and PT30X-SE-NDI-G3 were found to be affected without subsequent patches. - GreyNoise indicates that the vulnerabilities may extend to a wider range of devices, potentially linked to the manufacturer's SDK. **User Guidance:** - Users are advised to contact their device vendors regarding the availability of firmware updates addressing these vulnerabilities. [alkpt]1[/alkpt]