U.S. CISA adds PTZOptics camera bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds PTZOptics PT30X-SDI/NDI camera bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
  • CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

Threat actors are attempting to exploit the two zero-day vulnerabilities CVE-2024-8956 and CVE-2024-8957 in PTZOptics pan-tilt-zoom (PTZ) live streaming cameras, GretNoise researchers warned last week.

GreyNoise discovered the two flaws while investigating the use of an exploit detected by its LLM-powered threat-hunting tool Sift.

The company discovered the zero-day vulnerabilities in IoT live-streaming cameras, used in industrial operations, healthcare, and other sensitive environments.

PTZOptics cameras

The attacker used automated, wide-scale reconnaissance to deploy the exploit.

GreyNoise worked with VulnCheck to disclose the two vulnerabilities responsibly.   

“The vulnerabilities impact NDI-enabled pan-tilt-zoom (PTZ) cameras from multiple manufacturers. Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63.” reads the analysis published by GreyNoise. “These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial”

CVE-2024-8956 (CVSS score of 9.1) is an inadequate authentication mechanisms that could allow an attacker to access sensitive information like usernames, MD5 password hashes, and configuration data.

CVE-2024-8957 (CVSS score of CVSS 7.2) is an OS Command Injection. An attacker could trigger this with CVE-2024-8956 to execute arbitrary OS commands on the affected cameras, potentially allowing an attacker to seize full control of the system. 

An attacker could exploit the flaw to fully take over devices, view or alter video feeds, and compromise sensitive sessions like business meetings or telehealth. Compromised cameras could be added to botnets and use them to perform denial-of-service attacks. Attackers can also trigger flaws to extract network details to infiltrate connected systems, increasing the risk of data breaches and ransomware attacks. Additionally, attackers could misconfigure or disable cameras entirely, disrupting operations in industrial and other sensitive settings.

GreyNoise also observed an instance of an attack using wget to download a shell script for reverse shell access.

“Organizations using VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63 should take immediate action to patch the discovered vulnerabilities and secure their systems.  VulnCheck alerted affected manufacturers to the flaws, only receiving a response from PTZOptics. The manufacturer released firmware updates addressing these flaws.” concludes the report.

“Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by November 25, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)