November 15, 2024 at 02:40PM
A malware botnet is exploiting a critical zero-day vulnerability (CVE-2024-11120) in unsupported GeoVision devices for potential DDoS and cryptomining attacks. Approximately 17,000 devices are at risk, primarily in the U.S. Signs of compromise include overheating and slow performance. Replacement with supported models is advised.
**Meeting Takeaways:**
1. **Vulnerability Overview**:
– **Vulnerability**: CVE-2024-11120, a critical severity OS command injection flaw (CVSS v3.1 score: 9.8).
– **Discovered by**: Piort Kijewski of The Shadowserver Foundation.
– **Impact**: Allows unauthenticated attackers to execute arbitrary system commands on end-of-life GeoVision devices.
2. **Affected Devices**:
– **Models Impacted**:
– GV-VS12 (2-channel video server)
– GV-VS11 (single-channel video server)
– GV-DSP LPR V3 (license plate recognition system)
– GV-LX4C V2 / GV-LX4C V3 (compact digital video recorders)
– All affected models have reached end-of-life status and are no longer supported by the vendor.
3. **Exploit Status**:
– The vulnerability is actively being exploited by a malware botnet, possibly a variant of Mirai.
– Approximately **17,000 exposed GeoVision devices** online are vulnerable to this exploit.
4. **Geographic Distribution**:
– **Most Exposed Devices**:
– United States: 9,100
– Germany: 1,600
– Canada: 800
– Taiwan: 800
– Japan: 350
– Spain: 300
– France: 250
5. **Symptoms of Compromise**:
– Devices may exhibit excessive heat, slow performance, unresponsive behavior, or unauthorized configuration changes.
6. **Recommended Actions**:
– If symptoms are noticed:
– Perform a device reset.
– Change the default admin password to a strong one.
– Disable remote access panels.
– Use a firewall for protection.
– Ideally, replace affected devices with those that are actively supported. If not possible, isolate them on a dedicated LAN or subnet and monitor closely.