Vulnerability Details CVE-2020-24217
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.536
EPSS Ranking 97.8%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://packetstormsecurity.com/files/159597/HiSilicon-Video-Encoder-Command-Injection.html
- http://packetstormsecurity.com/files/159599/HiSilicon-Video-Encoder-Malicious-Firmware-Code-Execution.html
- https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
- https://www.kb.cert.org/vuls/id/896979
- http://packetstormsecurity.com/files/159597/HiSilicon-Video-Encoder-Command-Injection.html
- http://packetstormsecurity.com/files/159599/HiSilicon-Video-Encoder-Malicious-Firmware-Code-Execution.html
- https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
- https://www.kb.cert.org/vuls/id/896979
Products affected by CVE-2020-24217
-
cpe:2.3:h:jtechdigital:h.264_iptv_encoder_1080p@60hz:-
-
cpe:2.3:h:provideoinstruments:vecaster-4k-hevc:-
-
cpe:2.3:h:provideoinstruments:vecaster-hd-h264:-
-
cpe:2.3:h:provideoinstruments:vecaster-hd-hevc:-
-
cpe:2.3:h:provideoinstruments:vecaster-hd-sdi:-
-
cpe:2.3:h:szuray:uaioe264-1u:-
-
cpe:2.3:h:szuray:uaioe265-1u:-
-
cpe:2.3:h:szuray:uce264-1-mini:-
-
cpe:2.3:h:szuray:uce264-1wb-mini:-
-
cpe:2.3:h:szuray:uce264-4-1u:-
-
cpe:2.3:h:szuray:uce264-8-1u:-
-
cpe:2.3:h:szuray:uhae264-16:-
-
cpe:2.3:h:szuray:uhae265-1-mini:-
-
cpe:2.3:h:szuray:uhae265-1wb-mini:-
-
cpe:2.3:h:szuray:uhae265-4-1u:-
-
cpe:2.3:h:szuray:uhce264-16p32:-
-
cpe:2.3:h:szuray:uhce264-1:-
-
cpe:2.3:h:szuray:uhce264-1p2-1u:-
-
cpe:2.3:h:szuray:uhce264-1p2:-
-
cpe:2.3:h:szuray:uhce264-1s:-
-
cpe:2.3:h:szuray:uhce264-1w:-
-
cpe:2.3:h:szuray:uhce264-1ws:-
-
cpe:2.3:h:szuray:uhce264-4p8:-
-
cpe:2.3:h:szuray:uhe264-1-4k:-
-
cpe:2.3:h:szuray:uhe264-16:-
-
cpe:2.3:h:szuray:uhe264-16l-3u:-
-
cpe:2.3:h:szuray:uhe264-16s-2u:-
-
cpe:2.3:h:szuray:uhe264-1l-4k:-
-
cpe:2.3:h:szuray:uhe264-1l:-
-
cpe:2.3:h:szuray:uhe264-1lw:-
-
cpe:2.3:h:szuray:uhe264-1s-mini:-
-
cpe:2.3:h:szuray:uhe264-1s:-
-
cpe:2.3:h:szuray:uhe264-1w-mini:-
-
cpe:2.3:h:szuray:uhe264-1wb-4g:-
-
cpe:2.3:h:szuray:uhe264-1wb-mini:-
-
cpe:2.3:h:szuray:uhe264-1wbs-2b:-
-
cpe:2.3:h:szuray:uhe264-1wbs-mini:-
-
cpe:2.3:h:szuray:uhe264-1ws-mini:-
-
cpe:2.3:h:szuray:uhe264-2-1u:-
-
cpe:2.3:h:szuray:uhe264-4-1u:-
-
cpe:2.3:h:szuray:uhe264-4:-
-
cpe:2.3:h:szuray:uhe264-4l-1u:-
-
cpe:2.3:h:szuray:uhe264-8-1u:-
-
cpe:2.3:h:szuray:uhe264-8:-
-
cpe:2.3:h:szuray:uhe264-8l-3u:-
-
cpe:2.3:h:szuray:uhe264-8s-2u:-
-
cpe:2.3:h:szuray:uhe265-1-1u:-
-
cpe:2.3:h:szuray:uhe265-1-4k:-
-
cpe:2.3:h:szuray:uhe265-1-mini:-
-
cpe:2.3:h:szuray:uhe265-16-3u:-
-
cpe:2.3:h:szuray:uhe265-16l-3u:-
-
cpe:2.3:h:szuray:uhe265-1:-
-
cpe:2.3:h:szuray:uhe265-1l:-
-
cpe:2.3:h:szuray:uhe265-1lw:-
-
cpe:2.3:h:szuray:uhe265-1s-4k:-
-
cpe:2.3:h:szuray:uhe265-1s-mini:-
-
cpe:2.3:h:szuray:uhe265-1w-4k:-
-
cpe:2.3:h:szuray:uhe265-1w-mini:-
-
cpe:2.3:h:szuray:uhe265-1w:-
-
cpe:2.3:h:szuray:uhe265-1wb-4g:-
-
cpe:2.3:h:szuray:uhe265-1wb-mini:-
-
cpe:2.3:h:szuray:uhe265-1wbs-mini:-
-
cpe:2.3:h:szuray:uhe265-2-1u:-
-
cpe:2.3:h:szuray:uhe265-4-1u:-
-
cpe:2.3:h:szuray:uhe265-4:-
-
cpe:2.3:h:szuray:uhe265-4s-1u:-
-
cpe:2.3:h:szuray:uhe265-4s:-
-
cpe:2.3:h:szuray:uhe265-8-1u:-
-
cpe:2.3:h:szuray:uhe265-8l-3u:-
-
cpe:2.3:h:szuray:uhe265-8s-1u:-
-
cpe:2.3:h:szuray:uhse265-1u:-
-
cpe:2.3:h:szuray:use264-16-3u:-
-
cpe:2.3:h:szuray:use264-1l-1u:-
-
cpe:2.3:h:szuray:use264-1l-mini:-
-
cpe:2.3:h:szuray:use264-1l:-
-
cpe:2.3:h:szuray:use264-1lw:-
-
cpe:2.3:h:szuray:use264-1wb-l:-
-
cpe:2.3:h:szuray:use264-4l-1u:-
-
cpe:2.3:h:szuray:use264-8-1u:-
-
cpe:2.3:h:szuray:use265-1-1u:-
-
cpe:2.3:h:szuray:use265-1-mini:-
-
cpe:2.3:h:szuray:use265-16l-3u:-
-
cpe:2.3:h:szuray:use265-1l-1u:-
-
cpe:2.3:h:szuray:use265-1l-mini:-
-
cpe:2.3:h:szuray:use265-1l:-
-
cpe:2.3:h:szuray:use265-1lw:-
-
cpe:2.3:h:szuray:use265-1w-mini:-
-
cpe:2.3:h:szuray:use265-1wb-4g:-
-
cpe:2.3:h:szuray:use265-1wb-l:-
-
cpe:2.3:h:szuray:use265-1wb-mini:-
-
cpe:2.3:h:szuray:use265-2-1u:-
-
cpe:2.3:h:szuray:use265-4-1u:-
-
cpe:2.3:h:szuray:use265-4l-1u:-
-
cpe:2.3:h:szuray:use265-8-1u:-
-
cpe:2.3:h:szuray:uve264-1l:-
-
cpe:2.3:h:szuray:uve264-1lw:-
-
cpe:2.3:h:szuray:uve265-1:-
-
cpe:2.3:h:szuray:uve265-1w:-
-
cpe:2.3:o:jtechdigital:h.264_iptv_encoder_1080p@60hz_firmware:-
-
cpe:2.3:o:provideoinstruments:vecaster-4k-hevc_firmware:-
-
cpe:2.3:o:provideoinstruments:vecaster-hd-h264_firmware:-
-
cpe:2.3:o:provideoinstruments:vecaster-hd-hevc_firmware:-
-
cpe:2.3:o:provideoinstruments:vecaster-hd-sdi_firmware:-
-
cpe:2.3:o:szuray:iptv/h.264_video_encoder_firmware:-
-
cpe:2.3:o:szuray:iptv/h.265_video_encoder_firmware:-