Vulnerability Description
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to perform any administrative task on the device including retrieving the device's configuration (with the cleartext admin password), and uploading a custom firmware update, to ultimately achieve arbitrary code execution.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Szuray | Iptv\/H.264 Video Encoder Firmware | - |
| Szuray | Uaioe264-1U | - |
| Szuray | Uce264-1-Mini | - |
| Szuray | Uce264-1Wb-Mini | - |
| Szuray | Uce264-4-1U | - |
| Szuray | Uce264-8-1U | - |
| Szuray | Uhae264-16 | - |
| Szuray | Uhce264-1 | - |
| Szuray | Uhce264-16P32 | - |
| Szuray | Uhce264-1P2 | - |
| Szuray | Uhce264-1P2-1U | - |
| Szuray | Uhce264-1S | - |
| Szuray | Uhce264-1W | - |
| Szuray | Uhce264-1Ws | - |
| Szuray | Uhce264-4P8 | - |
| Szuray | Uhe264-1-4K | - |
| Szuray | Uhe264-16 | - |
| Szuray | Uhe264-16L-3U | - |
| Szuray | Uhe264-16S-2U | - |
| Szuray | Uhe264-1L | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/159601/HiSilicon-Video-Encoder-Backdoor-PasExploitThird Party Advisory
- https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/896979Third Party AdvisoryUS Government Resource
- http://packetstormsecurity.com/files/159601/HiSilicon-Video-Encoder-Backdoor-PasExploitThird Party Advisory
- https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/896979Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2020-24215?
CVE-2020-24215 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to perform any administrative task on the d...
How severe is CVE-2020-24215?
CVE-2020-24215 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-24215?
Check the references section above for vendor advisories and patch information. Affected products include: Szuray Iptv\/H.264 Video Encoder Firmware, Szuray Uaioe264-1U, Szuray Uce264-1-Mini, Szuray Uce264-1Wb-Mini, Szuray Uce264-4-1U.