Today, CISA added two new vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog. Both vulnerabilities are for PT30X-SDI/NDI Cameras from PTZOptics. The vulnerabilities were originally reported by Konstantin Lazarev of GreyNoise. PTZOptics has a new firmware version that mitigates the vulnerabilities. Federal agencies that own or operate these cameras have until November 25th, 2024, to “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”
The two newly added vulnerabilities are:
• OS command
injection - CVE-2024-8957,
and
• Improper authentication - CVE-2024-8956
Note: Links above are for advisories published by VulnCheck.
An interesting side note: PTZOptics made the corrected version of the firmware available on September 17th, 2024. The change log for v6.3.40 does not specifically identify these two vulnerabilities. Instead, it reports: “General Security Fixes.”
One final note: The two VulnCheck advisories reports that these
vulnerabilities also affect: “Other white-label AV equipment based on ValueHD
Corporation PTZ Camera Firmware”. This is not mentioned in the CISA KEV notice.
Posts
No comments:
Post a Comment