An urgent alert regarding two critical vulnerabilities in PTZOptics PT30X-SDI/NDI cameras was issued. These allow potential control over cameras, authentication bypass, data exfiltration, or even remote device configuration altering, which could lead to unauthorized access to video feeds and possible data breaches for enterprises.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the two flaws, identified as CVE-2024-8957 and CVE-2024-8956, to its Known Exploited Vulnerabilities (KEV) Catalog.
CVE-2024-8957 affects PTZOptics cameras running firmware versions older than 6.3.40. It allows remote, authenticated attackers to escalate their privileges to root by injecting crafted payloads into the `ntp_addr` parameter of the `/cgi-bin/param.cgi` script.Â
During the `ntp_client` startup, the unauthorized command can be executed, providing the attacker with complete control over the device. The vulnerability is classified under CWE-78 for OS Command Injection.
CVE-2024-8956 is characterized by an insecure direct object reference (IDOR) vulnerability, allowing attackers to bypass authentication controls within the `/cgi-bin/param.cgi` script.Â
This flaw impacts PTZOptics cameras running firmware versions before 6.3.40, enabling unauthorized access to sensitive functions and data without proper credentials. It is listed under CWE-287 for Improper Authentication.
These vulnerabilities underline the security challenges Internet of Things (IoT) devices face, including surveillance cameras such as PTZOptics cameras, which have access to sensitive data and limited built-in security measures.
CISA strongly advises users to upgrade their devices to firmware version 6.3.40 to mitigate these vulnerabilities. If updating is not feasible, users should discontinue the use of these vulnerable devices to prevent potential unauthorized access and data compromise. The deadline for remediation actions is set for November 25, 2024.
The most recent CISA warning concerns an unpatched vulnerability that affects ScienceLogic SL1, formerly known as EM7, potentially allowing remote code execution. CISA added the flaw to its Known Exploited Vulnerabilities catalog after discovering active zero-day exploitation.