WARNING: CRITICAL VULNERABILITIES IN PTZOPTICS DEVICES RESULT IN ARBITRARY COMMAND EXECUTION WHEN COMBINED. PATCH IMMEDIATELY!
CVE-2024-8956
CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVE-2024-8957
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risques
Two critical vulnerabilities have been identified in PTZOptics camera devices. First, the device does not enforce authentication on requests to /cgi-bin/param.cgi that lack an HTTP Authorization header, potentially exposing sensitive configurations. Second, insufficient validation of the ntp_addr configuration parameter can enable arbitrary command execution when the ntp_client is initiated.
These vulnerabilities are currently under active exploitation.
Furthermore, the vulnerability has a high impact on confidentiality, integrity, and availability.
Description
When these vulnerabilities are combined, a remote and unauthenticated attacker can fully compromise the affected devices by first gaining unauthorized access to sensitive data and configuration settings and then executing arbitrary OS commands. This can result in complete system takeover, leading to significant security risks and operational disruptions.
Actions recommandées
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.