[German]Security researcher Alexei Kojenov has discovered serious security vulnerabilities in software video encoders written for HI3520D chipsets from Huawei subsidiary HiSilicon. Because of a discovered access with a standard password, he even writes from a backdoor.
IPTV/H.264/H.265 video encoder devices provide video streaming capabilities over IP networks. The underlying software in these devices appears to have common components that have several weaknesses in their design and default configuration.
Alexei Kojen has disclosed the details in the article Backdoors and other vulnerabilities in HiSilicon based hardware video encoders. It addresses critical vulnerabilities in IPTV/H.264/H.265 video encoders based on HiSilicon hi3520d hardware. The vulnerabilities are in the application software running on these devices.
The vulnerabilities mainly occur in network services such as web and telnet interfaces. These vulnerabilities are due to software flaws, such as insufficient validation of user input and the use of insecure credentials through hard-coded passwords (see https://owasp.org/www-project-top-ten/). Here is a list of vulnerabilities found by Alexei Kojen, compiled by cert.org.
- Full administrative access via backdoor password (CVE-2020-24215)
- Administrative root access via backdoor password (CVE-2020-24218)
- Arbitrary file read via path traversal (CVE-2020-24219)
- Unauthenticated file upload (CVE-2020-24217)
- Arbitrary code execution by uploading malicious firmware (CVE-2020-24217)
- Arbitrary code execution via command injection (CVE-2020-24217)
- Denial of service via buffer overflow (CVE-2020-24214)
- Unauthorized video stream access via RTSP (CVE-2020-24216)
Since some vulnerabilities are based on access for administrator accounts with root access by default password, Kojen speaks of backdoors. All vulnerabilities are remotely exploitable and can lead to the disclosure of sensitive information, denial of service and remote code execution, which can result in the complete takeover of the device.
The vulnerable components may also be present in other Internet of Things (IoT) devices. Since several vendors are affected and no full fixes have been made at the time of release, these encoders should only be used in fully trusted networks behind firewalls. Huawei pointed out in a statement that none of the vulnerabilities were introduced by HiSilicon chips and the SDK packages. Who was responsible for the vulnerabilities and whether they are deliberately built in backdoors will probably not be clarified. (via German site heise)