SB2024110147 - Multiple vulnerabilities in PTZOptics PT30X-SDI/NDI-xx IP camera

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2024-8956)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to missing authentication checks in /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. A remote non-authenticated attacker can gain unauthorized access to the IP camera and obtain sensitive information, such as usernames, password hashes, and configurations details or update camera configuration.

2) OS Command Injection (CVE-ID: CVE-2024-8957)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when handling the ntp_addr configuration value. A remote user can set a specially crafted value in the configuration file and execute arbitrary OS commands on the system.

Note, this vulnerability can be also exploited by an unauthenticated attacker if chained with #VU99606 (CVE-2024-8956).

Remediation

Install update from vendor's website.

References

• https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
• https://ptzoptics.com/firmware-changelog/