Yesterday CISA announced that it had added a missing authorization vulnerability in the Digiever DS-2105 Pro, a Linux-embedded standalone NVR. The vulnerability was first reported by Ta-Lun Yen of TXOne Research in 2023. At that time Digiever reported that the DS-2105 Pro had been end-of-life for five years and no fix was planned. Akamai reported in 2024 that they had spotted the vulnerability being exploited in their honey pots in November 2024, and was actively being exploited to spread Miri variant malware. The TXOne report includes generic mitigation measures that may be applicable.
CISA has notified federal agencies using the DS-2105 Pro to
apply “mitigations per vendor instructions, follow applicable BOD 22-01
guidance for cloud services, or discontinue use of the product if mitigations
are unavailable.” A deadline of January 12th, 2025 has been set to
accomplish those actions.
Posts
No comments:
Post a Comment