Executive Summary
Summary | |
---|---|
Title | IPTV encoder devices contain multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | VU#896979 | First vendor Publication | 2020-09-15 |
Vendor | VU-CERT | Last vendor Modification | 2020-09-28 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 9.8 | ||
Base Score | 9.8 | Environmental Score | 9.8 |
impact SubScore | 5.9 | Temporal Score | 9.8 |
Exploitabality Sub Score | 3.9 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | None | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewMultiple vulnerabilities exist in various Video Over IP (Internet Protocol) encoder devices, also known as IPTV/H.264/H.265 video encoders. These vulnerabilities allow an unauthenticated remote attacker to execute arbitrary code and perform other unauthorized actions on a vulnerable system. DescriptionIPTV/H.264/H.265 video encoder devices provide video streaming capability over IP networks. The underlying software in these devices seem to share common components that have multiple weaknesses in their design and default configuration. The vulnerabilities occur primarily in the network services such as web and telnet interfaces. These vulnerabilities stem from software bugs, such as insufficient validation of user input and the use of insecure credentials through hard-coded passwords. https://owasp.org/www-project-top-ten/. The vulnerable components may also be present in other Internet of Things (IoT) devices. These devices are manufactured using components acquired from a complex supply chain and are often sold through common outlets such as retail stores and e-commerce websites. This makes it difficult to identify impacted devices and notify the appropriate stakeholders, thus illustrating the dire need for Software Bill of Materials SBOM in this growing and complex digital market. Further details of these vulnerabilities can be found in this blog post by Alexei Kojenov. ImpactThe impact of these vulnerabilities are summarized in the following list:
SolutionApply UpdatesContact your vendor. See also the Vendor Information section below. Restrict network accessRestrict network access of these devices to a well protect local area network (LAN) or through a firewall. Allowing direct Internet access to these devices increases the risk of compromise and potential abuse from an unauthorized remote attacker. AcknowledgementsAlexei Kojenov https://kojenov.com/ researched and reported these vulnerabilities. This document was written by Vijay Sarvepalli. |
Original Source
Url : https://kb.cert.org/vuls/id/896979 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-798 | Use of Hard-coded Credentials (CWE/SANS Top 25) |
25 % | CWE-306 | Missing Authentication for Critical Function (CWE/SANS Top 25) |
25 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 1 | |
Os | 1 | |
Os | 1 | |
Os | 1 | |
Os | 1 | |
Os | 1 | |
Os | 1 |
Alert History
Date | Informations |
---|---|
2021-01-19 21:18:06 |
|
2020-09-28 17:17:31 |
|
2020-09-21 09:17:31 |
|
2020-09-18 05:17:33 |
|
2020-09-17 17:19:13 |
|
2020-09-15 21:17:45 |
|