Hackers are trying to use two zero-day vulnerabilities in PTZOptics pan-tilt-zoom (PTZ) stay streaming cameras utilized in industrial, healthcare, enterprise conferences, authorities, and courtroom settings.
In April 2024, GreyNoise found CVE-2024-8956 and CVE-2024-8957 after its AI-powered risk detection instrument, Sift, detected uncommon exercise on its honeypot community that didn’t match any identified threats.
Upon examination of the alert, GreyNoise researchers uncovered an exploit try that focused the digicam’s CGI-based API and embedded ‘ntp_client’ aiming to attain command injection.
A technical deep-dive by GreyNoise researcher Konstantin Lazarev offers extra information on the 2 flaws.
CVE-2024-8956 is a weak authentication drawback within the digicam’s ‘lighthttpd’ net server, permitting unauthorized customers to entry the CGI API with out an authorization header, which exposes usernames, MD5 password hashes, and community configurations.
CVE-2024-8957 is attributable to inadequate enter sanitization within the ‘ntp. addr’ discipline processed by the ‘ntp_client’ binary, permitting attackers to make use of a specifically crafted payload to insert instructions for distant code execution.
Greynoise notes that exploitation of those two flaws can result in full digicam takeover, an infection with bots, pivoting to different gadgets related on the identical community, or disruption of video feeds.
The cybersecurity agency stories that whereas the supply of the preliminary exercise went silent shortly after the honeypot assaults, a separate try utilizing wget to obtain a shell script for reverse shell entry was noticed in June.
Disclosure and fixing standing
Upon discovering CVE-2024-8956 and CVE-2024-8957, GreyNoise labored with VulnCheck for accountable disclosure to impacted distributors.
Units impacted by the 2 flaws are NDI-enabled cameras primarily based on Hisilicon Hi3516A V600 SoC V60, V61, and V63, which run VHD PTZ digicam firmware variations older than 6.3.40.
This contains a number of fashions from PTZOptics, Multicam Programs SAS cameras, and SMTAV Company gadgets.
PTZOptics launched a safety replace on September 17, however fashions just like the PT20X-NDI-G2 and PT12X-NDI-G2 didn’t get a firmware replace resulting from having reached end-of-life.
Later, GreyNoise found that at the very least two newer fashions, PT20X-SE-NDI-G3, and PT30X-SE-NDI-G3, which additionally did not obtain a patch, have been impacted too.
PTZOptics was notified in regards to the expanded scope by VulnCheck on October 25, however no fixes for these fashions have been launched as of writing.
GreyNoise informed BleepingComputer that the issues doubtless have an effect on a broad vary of digicam fashions.
“We (strongly) consider {that a} wider vary of gadgets is affected, probably indicating that the precise offender lies throughout the SDK the producer (ValueHD / VHD Company) makes use of,” GreyNoise informed BleepingComputer.
That being mentioned, customers ought to verify with their machine vendor to see if fixes for CVE-2024-8956 and CVE-2024-8957 have been included within the newest out there firmware replace for his or her gadgets.