Authentication Bypass and Command Injection Vulnerability in ValueHD PTZ Cameras

ISGroup Cybersecurity

Security researchers identified suspicious activity targeting ValueHD PTZ cameras on April 23, 2024. The detected exploitation attempts originated from the IP address 45.128.232.229 and included attempts to download and execute shell scripts on vulnerable devices. Due to the widespread use of these cameras in enterprise-level video production and broadcasting environments, the potential risks arising from unauthorized access and remote command execution are significant.

ProductValueHD PTZ Camera
Date2024-11-04 10:11:11
Information
  • Fix Available
  • Active Exploitation

Technical Summary

The suspected vulnerabilities could allow unauthenticated access to configuration data and remote command execution. The first vulnerability (CVE-2024-8956) could allow attackers to bypass authentication on the param.cgi endpoint, potentially exposing system configuration details, including password hashes. The second vulnerability (CVE-2024-8957) appears to allow command injection through the NTP server configuration, enabling the execution of arbitrary remote commands. Affected devices include ValueHD PTZ cameras with firmware versions lower than 6.3.40, used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation products based on the Hisilicon Hi3516A V600 (V60, V61, V63) SoC.

Recommendations

  • Update firmware to version 6.3.40 or higher.
  • Place cameras behind a firewall or VPN to restrict unauthorized access.
  • Segment the network to isolate PTZ cameras from other critical infrastructure.
  • Continuously monitor access attempts to the param.cgi endpoint for anomalous activity.

[Callforaction-THREAT-Footer]