CVE-2024-8956 (CVSS 9.1): PTZOptics Cameras Vulnerable to Remote Attacks
A recently disclosed security flaw, CVE-2024-8956, poses a significant risk to users of certain PTZ cameras, including popular models from PTZOptics. This vulnerability, rated CVSS 9.1, opens the door for remote attackers to gain unauthorized access to sensitive data and alter device configurations, making it one of the most severe issues reported in recent times for networked AV equipment.
The root cause of CVE-2024-8956 is an insufficient authentication mechanism. Specifically, the affected devices fail to enforce proper authentication for requests sent to the /cgi-bin/param.cgi endpoint when no HTTP Authorization header is included. This flaw allows a remote attacker, without any authentication, to retrieve sensitive data including usernames, password hashes, and configuration details.
Worse still, the vulnerability permits attackers not only to view sensitive data but also to alter configuration values or overwrite entire configuration files. In practical terms, this could result in hijacked camera control, altered security settings, and potentially malicious usage of the device for further exploits in the network.
Konstantin Lazarev of GreyNoise is credited with discovering this vulnerability.
This flaw is found in the following camera models:
- PTZOptics PT30X-SDI (versions prior to 6.3.40)
- PTZOptics PT30X-NDI-xx-G2 (versions prior to 6.3.40)
- Other AV equipment that utilizes ValueHD Corporation PTZ camera firmware, which is commonly white-labeled.
The good news is that PTZOptics has already released firmware updates to patch this flaw. The issue has been resolved in firmware version 6.3.40, which is available for affected models. Firmware updates should be applied as soon as possible to secure the devices from exploitation.
